xmrig | 33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c

General

Target

tmp.exe
Size

10.4MB
MD5

dff762abefd2ac634f87aacd920c8bdc
SHA1

b8ea30c9d631fbb4a1f57c2873ca8aeb64c93643
SHA256

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c
SHA512

54db97efb4ffcec9bc4122a6e41029c3cd457b631ede685eb883d5884f5a7b90c465dc8ec2212e712af935481073a2b4eb5180431926f03febccb055d9585341
SSDEEP

196608:D2neZjvDa5N5o9LrIbQTsbHu7THe8FhG8ryPzB3SFyFYha:D3/AU9LrIdb+THVFg8uhSYFYha

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral2/memory/2152-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2152-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2152-23-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2152-24-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2152-25-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2152-26-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2152-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2152-28-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2152-30-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2152-33-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2152-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2152-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2152-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2152-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2152-39-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2152-40-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
1112	todymdgvwmgb.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1112 set thread context of 4468	1112	todymdgvwmgb.exe	122
PID 1112 set thread context of 2152	1112	todymdgvwmgb.exe	127

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2972	sc.exe
3256	sc.exe
4156	sc.exe
3484	sc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3380	tmp.exe
3380	tmp.exe
3380	tmp.exe
3380	tmp.exe
3380	tmp.exe
3380	tmp.exe
3380	tmp.exe
3380	tmp.exe
3380	tmp.exe
3380	tmp.exe
1112	todymdgvwmgb.exe
1112	todymdgvwmgb.exe
1112	todymdgvwmgb.exe
1112	todymdgvwmgb.exe
1112	todymdgvwmgb.exe
1112	todymdgvwmgb.exe
1112	todymdgvwmgb.exe
1112	todymdgvwmgb.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2340	powercfg.exe
Token: SeCreatePagefilePrivilege	2340	powercfg.exe
Token: SeShutdownPrivilege	1932	powercfg.exe
Token: SeCreatePagefilePrivilege	1932	powercfg.exe
Token: SeShutdownPrivilege	4128	powercfg.exe
Token: SeCreatePagefilePrivilege	4128	powercfg.exe
Token: SeShutdownPrivilege	4000	powercfg.exe
Token: SeCreatePagefilePrivilege	4000	powercfg.exe
Token: SeShutdownPrivilege	4500	powercfg.exe
Token: SeCreatePagefilePrivilege	4500	powercfg.exe
Token: SeShutdownPrivilege	4360	powercfg.exe
Token: SeCreatePagefilePrivilege	4360	powercfg.exe
Token: SeShutdownPrivilege	4432	powercfg.exe
Token: SeCreatePagefilePrivilege	4432	powercfg.exe
Token: SeLockMemoryPrivilege	2152	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 4468	1112	todymdgvwmgb.exe	122
PID 1112 wrote to memory of 4468	1112	todymdgvwmgb.exe	122
PID 1112 wrote to memory of 4468	1112	todymdgvwmgb.exe	122
PID 1112 wrote to memory of 4468	1112	todymdgvwmgb.exe	122
PID 1112 wrote to memory of 4468	1112	todymdgvwmgb.exe	122
PID 1112 wrote to memory of 4468	1112	todymdgvwmgb.exe	122
PID 1112 wrote to memory of 4468	1112	todymdgvwmgb.exe	122
PID 1112 wrote to memory of 4468	1112	todymdgvwmgb.exe	122
PID 1112 wrote to memory of 4468	1112	todymdgvwmgb.exe	122
PID 1112 wrote to memory of 2152	1112	todymdgvwmgb.exe	127
PID 1112 wrote to memory of 2152	1112	todymdgvwmgb.exe	127
PID 1112 wrote to memory of 2152	1112	todymdgvwmgb.exe	127
PID 1112 wrote to memory of 2152	1112	todymdgvwmgb.exe	127
PID 1112 wrote to memory of 2152	1112	todymdgvwmgb.exe	127
PID 1112 wrote to memory of 2152	1112	todymdgvwmgb.exe	127
PID 1112 wrote to memory of 2152	1112	todymdgvwmgb.exe	127
PID 1112 wrote to memory of 2152	1112	todymdgvwmgb.exe	127
PID 1112 wrote to memory of 2152	1112	todymdgvwmgb.exe	127
PID 1112 wrote to memory of 2152	1112	todymdgvwmgb.exe	127
PID 1112 wrote to memory of 2152	1112	todymdgvwmgb.exe	127
PID 1112 wrote to memory of 2152	1112	todymdgvwmgb.exe	127

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3380
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4000
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "PHSWJLZY"
  2⤵
  - Launches sc.exe
  PID:3484
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "PHSWJLZY" binpath= "C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2972
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:3256
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "PHSWJLZY"
  2⤵
  - Launches sc.exe
  PID:4156

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:2492
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4360
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4432
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4468
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe

Filesize
5.2MB

MD5
716b8af982a9afe2a4c703926947f9fa

SHA1
baff503c4409fbdf2c00d7b8f815427a48b1c315

SHA256
4e9748ee1c9381c262dfe58ce3618e8aa1d28e1761b987208cde79050683e0ad

SHA512
6854183ce7da6410eccb0b8185887f7041a6b5ac6f2277e1c426e0bdde0810608fe5870dd866b38551fa839a8b885aa472924f234a9086bb5ca8cbd9efff206c

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe

Filesize
6.6MB

MD5
73d2889fb647a48a51f9055223015ece

SHA1
ac19c2822af3f56f29b1b6f636c433a447d4131b

SHA256
298cdc8ebe87b84e349c38689ec25169b0d073a758b26419c970662cdc86d070

SHA512
5ff6826b211c3bdefef699ae64f9dae13c8dadf35ef5c5376cdd7c697c5caa8dd0c2ac2bfe55a0ed13cbf4d303dcd0b132fd385b5fae4aa47f266317c4a1a56e

Download Submit
memory/1112-32-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1112-9-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1112-10-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2152-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2152-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2152-42-0x000001AA56A30000-0x000001AA56A50000-memory.dmp

Filesize
128KB

Download
memory/2152-41-0x000001AA56A30000-0x000001AA56A50000-memory.dmp

Filesize
128KB

Download
memory/2152-40-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2152-39-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2152-38-0x000001AA56A10000-0x000001AA56A30000-memory.dmp

Filesize
128KB

Download
memory/2152-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2152-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2152-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2152-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2152-33-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2152-23-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2152-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2152-25-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2152-26-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2152-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2152-28-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2152-30-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2152-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2152-31-0x000001AA569B0000-0x000001AA569D0000-memory.dmp

Filesize
128KB

Download
memory/3380-0-0x00007FF8C1C10000-0x00007FF8C1C12000-memory.dmp

Filesize
8KB

Download
memory/3380-5-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/3380-1-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/3380-2-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/4468-19-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4468-16-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4468-15-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4468-14-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4468-13-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4468-12-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing