xmrig | 33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c

General

Target

tmp.exe
Size

10.4MB
MD5

dff762abefd2ac634f87aacd920c8bdc
SHA1

b8ea30c9d631fbb4a1f57c2873ca8aeb64c93643
SHA256

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c
SHA512

54db97efb4ffcec9bc4122a6e41029c3cd457b631ede685eb883d5884f5a7b90c465dc8ec2212e712af935481073a2b4eb5180431926f03febccb055d9585341
SSDEEP

196608:D2neZjvDa5N5o9LrIbQTsbHu7THe8FhG8ryPzB3SFyFYha:D3/AU9LrIdb+THVFg8uhSYFYha

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1708-9-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1708-11-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1708-12-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1708-13-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1708-14-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1708-15-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1708-17-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1708-18-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 1 IoCs

Processes:

todymdgvwmgb.exe

pid process

448 todymdgvwmgb.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

4384 sc.exe
1116 sc.exe
1324 sc.exe
4644 sc.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

tmp.exe

pid process

1424 tmp.exe
1424 tmp.exe
1424 tmp.exe
1424 tmp.exe
1424 tmp.exe
1424 tmp.exe
1424 tmp.exe
1424 tmp.exe
1424 tmp.exe
1424 tmp.exe

pid	process
448	todymdgvwmgb.exe

pid	process
4384	sc.exe
1116	sc.exe
1324	sc.exe
4644	sc.exe

pid	process
1424	tmp.exe
1424	tmp.exe
1424	tmp.exe
1424	tmp.exe
1424	tmp.exe
1424	tmp.exe
1424	tmp.exe
1424	tmp.exe
1424	tmp.exe
1424	tmp.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeShutdownPrivilege	3296	powercfg.exe
Token: SeCreatePagefilePrivilege	3296	powercfg.exe
Token: SeShutdownPrivilege	4952	powercfg.exe
Token: SeCreatePagefilePrivilege	4952	powercfg.exe
Token: SeShutdownPrivilege	4636	powercfg.exe
Token: SeCreatePagefilePrivilege	4636	powercfg.exe
Token: SeShutdownPrivilege	4072	powercfg.exe
Token: SeCreatePagefilePrivilege	4072	powercfg.exe
Token: SeShutdownPrivilege	2716	powercfg.exe
Token: SeCreatePagefilePrivilege	2716	powercfg.exe
Token: SeShutdownPrivilege	1100	powercfg.exe
Token: SeCreatePagefilePrivilege	1100	powercfg.exe
Token: SeShutdownPrivilege	464	powercfg.exe
Token: SeCreatePagefilePrivilege	464	powercfg.exe
Token: SeShutdownPrivilege	4940	powercfg.exe
Token: SeCreatePagefilePrivilege	4940	powercfg.exe
Token: SeLockMemoryPrivilege	1708	svchost.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1424

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "PHSWJLZY"
2⤵
- Launches sc.exe
PID:4384

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "PHSWJLZY" binpath= "C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
2⤵
- Launches sc.exe
PID:1116

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
2⤵
- Launches sc.exe
PID:1324

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "PHSWJLZY"
2⤵
- Launches sc.exe
PID:4644

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
1⤵
- Executes dropped EXE
PID:448

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:3616

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
6.6MB

MD5
431bab206455c3cf87a2c3928814976d

SHA1
64693d34849ee3d4bb2318e6185efeb1ecd7e1d2

SHA256
cfb6247a2823ac939262590d66f23f2c1427898f957be8633fa519aa31dc8388

SHA512
9cd26a937b9b42b54e17065a63a3a7ac362837221e565bab28c298c3b3f1f8fb2c353dcdbc67da6f9f9d7aed48a1b774cf98a87e518bb7ab4979a6df60512904

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
2.1MB

MD5
f31835cbdbe4955e9e1e051c7e208892

SHA1
bc9114530501396c61603c15db736a7a79027cfd

SHA256
7ff3cf6830941c32d9881f9e6dfddad66ebe039ab7c31443aebeb3dea91ba1c3

SHA512
bfd40d3dce56a51bb305d0f95c55d43f97dbe7c376f1fee6b494f7feb6f6fed940385f76d802e975f4008aa6fcdc331539b942bb40a3c19a3fdcf416ce296adc

Download Submit
memory/1424-2-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1424-1-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1424-5-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1424-0-0x00007FFD4CFF0000-0x00007FFD4CFF2000-memory.dmp

Filesize
8KB

Download
memory/1708-10-0x000001F1E13B0000-0x000001F1E13D0000-memory.dmp

Filesize
128KB

Download
memory/1708-9-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-11-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-12-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-13-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-14-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-15-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-16-0x000001F1E1610000-0x000001F1E1630000-memory.dmp

Filesize
128KB

Download
memory/1708-17-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-18-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1708-19-0x000001F1E1630000-0x000001F1E1650000-memory.dmp

Filesize
128KB

Download
memory/1708-20-0x000001F1E1630000-0x000001F1E1650000-memory.dmp

Filesize
128KB

Download
memory/3616-7-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing