xmrig | 33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c

General

Target

tmp.exe
Size

10.4MB
MD5

dff762abefd2ac634f87aacd920c8bdc
SHA1

b8ea30c9d631fbb4a1f57c2873ca8aeb64c93643
SHA256

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c
SHA512

54db97efb4ffcec9bc4122a6e41029c3cd457b631ede685eb883d5884f5a7b90c465dc8ec2212e712af935481073a2b4eb5180431926f03febccb055d9585341
SSDEEP

196608:D2neZjvDa5N5o9LrIbQTsbHu7THe8FhG8ryPzB3SFyFYha:D3/AU9LrIdb+THVFg8uhSYFYha

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2784-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2784-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2784-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2784-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2784-38-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2784-39-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2784-40-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2784-41-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2784-45-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2784-48-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2784-49-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2784-50-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2784-52-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2784-51-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2784-63-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2784-64-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 3 IoCs

Processes:

todymdgvwmgb.exetodymdgvwmgb.exe

pid process

468
2408 todymdgvwmgb.exe
872 todymdgvwmgb.exe
Loads dropped DLL 1 IoCs

Processes:

pid process

468

pid	process
468
2408	todymdgvwmgb.exe
872	todymdgvwmgb.exe

pid	process
468

Suspicious use of SetThreadContext 2 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 2408 set thread context of 2004	2408	todymdgvwmgb.exe	conhost.exe
PID 2408 set thread context of 2784	2408	todymdgvwmgb.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1248 sc.exe
2644 sc.exe
2668 sc.exe
2436 sc.exe

pid	process
1248	sc.exe
2644	sc.exe
2668	sc.exe
2436	sc.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

tmp.exetodymdgvwmgb.execonhost.exetodymdgvwmgb.exe

pid	process
3040	tmp.exe
3040	tmp.exe
3040	tmp.exe
3040	tmp.exe
3040	tmp.exe
3040	tmp.exe
3040	tmp.exe
3040	tmp.exe
3040	tmp.exe
2408	todymdgvwmgb.exe
2408	todymdgvwmgb.exe
2408	todymdgvwmgb.exe
2408	todymdgvwmgb.exe
2408	todymdgvwmgb.exe
2408	todymdgvwmgb.exe
2408	todymdgvwmgb.exe
2004	conhost.exe
872	todymdgvwmgb.exe
872	todymdgvwmgb.exe
872	todymdgvwmgb.exe
872	todymdgvwmgb.exe
872	todymdgvwmgb.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	2524	powercfg.exe
Token: SeShutdownPrivilege	2564	powercfg.exe
Token: SeShutdownPrivilege	2628	powercfg.exe
Token: SeShutdownPrivilege	2608	powercfg.exe
Token: SeShutdownPrivilege	2632	powercfg.exe
Token: SeShutdownPrivilege	2916	powercfg.exe
Token: SeShutdownPrivilege	2416	powercfg.exe
Token: SeShutdownPrivilege	2396	powercfg.exe
Token: SeLockMemoryPrivilege	2784	svchost.exe
Token: SeShutdownPrivilege	2604	powercfg.exe
Token: SeShutdownPrivilege	2516	powercfg.exe
Token: SeShutdownPrivilege	2484	powercfg.exe
Token: SeShutdownPrivilege	2400	powercfg.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 2408 wrote to memory of 2004	2408	todymdgvwmgb.exe	conhost.exe
PID 2408 wrote to memory of 2004	2408	todymdgvwmgb.exe	conhost.exe
PID 2408 wrote to memory of 2004	2408	todymdgvwmgb.exe	conhost.exe
PID 2408 wrote to memory of 2004	2408	todymdgvwmgb.exe	conhost.exe
PID 2408 wrote to memory of 2004	2408	todymdgvwmgb.exe	conhost.exe
PID 2408 wrote to memory of 2004	2408	todymdgvwmgb.exe	conhost.exe
PID 2408 wrote to memory of 2004	2408	todymdgvwmgb.exe	conhost.exe
PID 2408 wrote to memory of 2004	2408	todymdgvwmgb.exe	conhost.exe
PID 2408 wrote to memory of 2004	2408	todymdgvwmgb.exe	conhost.exe
PID 2408 wrote to memory of 2784	2408	todymdgvwmgb.exe	svchost.exe
PID 2408 wrote to memory of 2784	2408	todymdgvwmgb.exe	svchost.exe
PID 2408 wrote to memory of 2784	2408	todymdgvwmgb.exe	svchost.exe
PID 2408 wrote to memory of 2784	2408	todymdgvwmgb.exe	svchost.exe
PID 2408 wrote to memory of 2784	2408	todymdgvwmgb.exe	svchost.exe
PID 2408 wrote to memory of 2784	2408	todymdgvwmgb.exe	svchost.exe
PID 2408 wrote to memory of 2784	2408	todymdgvwmgb.exe	svchost.exe
PID 2408 wrote to memory of 2784	2408	todymdgvwmgb.exe	svchost.exe
PID 2408 wrote to memory of 2784	2408	todymdgvwmgb.exe	svchost.exe
PID 2408 wrote to memory of 2784	2408	todymdgvwmgb.exe	svchost.exe
PID 2408 wrote to memory of 2784	2408	todymdgvwmgb.exe	svchost.exe
PID 2408 wrote to memory of 2784	2408	todymdgvwmgb.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "PHSWJLZY"
2⤵
- Launches sc.exe
PID:2644

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "PHSWJLZY" binpath= "C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
2⤵
- Launches sc.exe
PID:2668

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
2⤵
- Launches sc.exe
PID:2436

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "PHSWJLZY"
2⤵
- Launches sc.exe
PID:1248

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2004

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
"C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:872

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
2.0MB

MD5
4667b1d29db52895e9c50f864a9f261b

SHA1
bb9a8b91e0ebd0fe265f7b6375d867f9fad8c494

SHA256
49c4caa7a243753ee3817afe976cc58952a947783069c634f6997cb6db4666d2

SHA512
c76c12bb715ee087a7da4d52c30e7e20a1e7e807a27c8171b754793e8743776d64ba58276c61bb7a3dda97353501c33eec28c69f4699f19311825983f5fcb639

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
6.4MB

MD5
96710037eae45b89d838bb7a4ef02434

SHA1
0e4305f9919c04b4614ad78e14a3b4ea36ff85a5

SHA256
df58e5d6a1eaf0e39ca7cba8019cba132f5587d88a01d6d1876dc8840b710c89

SHA512
2741ff2292f67de911a955b453f5b0c2eac3f3cb5f6cf52e2397f0c71d3ca7cfd177d0232a09f6e8a453368640b1e0e8cc6e4ff342e2155577e1bf6d249c053a

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
1.2MB

MD5
6788880c4272e78f72b79308c1bcf630

SHA1
1ecd20f634496cd05d6e643b5ba313dacba11bfd

SHA256
0761e72303ec9756572e6185dff02bdfec555445bc0d3ac62b08ab108161cd2e

SHA512
e0e5324733deecc182a7037f8c8358a653085b502176c741b0e1d0bd788c541ed37b3d4c8c0678392001ea6fd254523d1cd6e33b6c9837cb07fb4f291d12843e

Download Submit
C:\Windows\TEMP\ilfutfbguvtk.sys
Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
2.7MB

MD5
e81e22a18cb53e49d2ae3be420bdb5d6

SHA1
d0fc93d1f908dd90e01ea5661b17ec7b79e2ec09

SHA256
932d7412436a60e464cee96a98016b6b868f1f0bac6e8a7bb7185a381fdf15dd

SHA512
a25cb49707e0a5ae25f08e119c526daebff3122fdf93ae67c3279deb76b8b05d7b955eb9437f7397ca51568a9bfad1ed6573729faa0edeb3d286dc19735a36a0

Download Submit
\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
2.3MB

MD5
ed75a142f666dfa8c26743d2e46a13f0

SHA1
c8c5aa5bd636bbd52553b62d389675117fc3a034

SHA256
7361369a3be7910462aac8dcb51b5a7e8721921a12ec6069f412ff33f906cae4

SHA512
4f3342442a7f7bffb784dd15c7c3fc7ec161ed0d50353a1a0ec817ffbd534fa53205d397c832183c2b1b55d0e46332cd4fbed2bb5fda7d9e0150c07a3a6ebf50

Download Submit
memory/872-58-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/872-55-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/872-60-0x0000000077060000-0x0000000077209000-memory.dmp

Filesize
1.7MB

Download
memory/872-68-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/872-69-0x0000000077060000-0x0000000077209000-memory.dmp

Filesize
1.7MB

Download
memory/2004-25-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2004-26-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2004-27-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2004-28-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2004-29-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2004-32-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2408-24-0x0000000077060000-0x0000000077209000-memory.dmp

Filesize
1.7MB

Download
memory/2408-20-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2408-47-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2408-44-0x0000000077060000-0x0000000077209000-memory.dmp

Filesize
1.7MB

Download
memory/2784-38-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2784-49-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2784-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2784-70-0x0000000000110000-0x0000000000130000-memory.dmp

Filesize
128KB

Download
memory/2784-39-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2784-40-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2784-41-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2784-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2784-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2784-45-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2784-46-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2784-33-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2784-48-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2784-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2784-50-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2784-52-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2784-51-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2784-67-0x0000000000110000-0x0000000000130000-memory.dmp

Filesize
128KB

Download
memory/2784-64-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2784-63-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3040-7-0x0000000077060000-0x0000000077209000-memory.dmp

Filesize
1.7MB

Download
memory/3040-10-0x0000000077060000-0x0000000077209000-memory.dmp

Filesize
1.7MB

Download
memory/3040-5-0x0000000077210000-0x0000000077212000-memory.dmp

Filesize
8KB

Download
memory/3040-11-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/3040-4-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/3040-2-0x0000000077210000-0x0000000077212000-memory.dmp

Filesize
8KB

Download
memory/3040-0-0x0000000077210000-0x0000000077212000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads