xmrig | d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

General

Target

d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
Size

10.7MB
MD5

b091c4848287be6601d720997394d453
SHA1

9180e34175e1f4644d5fa63227d665b2be15c75b
SHA256

d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe
SHA512

a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a
SSDEEP

196608:oPnV1Bk/fRaGxUCBIORz5Z2YoZX0tMmp6tgq1D//XxdgPxwdT:oPKfR/UCBF+dZX0tMft/vxdgpG

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral1/memory/2300-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2300-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2300-23-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2300-24-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2300-25-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2300-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2300-26-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2300-28-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2300-30-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2300-33-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2300-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2300-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2300-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2300-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2300-39-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2300-40-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
4316	dckuybanmlgp.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4316 set thread context of 3860	4316	dckuybanmlgp.exe	121
PID 4316 set thread context of 2300	4316	dckuybanmlgp.exe	126

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1152	sc.exe
408	sc.exe
4816	sc.exe
960	sc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2184	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2184	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2184	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2184	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2184	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2184	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2184	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2184	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2184	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2184	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
4316	dckuybanmlgp.exe
4316	dckuybanmlgp.exe
4316	dckuybanmlgp.exe
4316	dckuybanmlgp.exe
4316	dckuybanmlgp.exe
4316	dckuybanmlgp.exe
4316	dckuybanmlgp.exe
4316	dckuybanmlgp.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
680	Process not Found

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3568	powercfg.exe
Token: SeCreatePagefilePrivilege	3568	powercfg.exe
Token: SeShutdownPrivilege	3692	powercfg.exe
Token: SeCreatePagefilePrivilege	3692	powercfg.exe
Token: SeShutdownPrivilege	3580	powercfg.exe
Token: SeCreatePagefilePrivilege	3580	powercfg.exe
Token: SeShutdownPrivilege	1088	powercfg.exe
Token: SeCreatePagefilePrivilege	1088	powercfg.exe
Token: SeShutdownPrivilege	1264	powercfg.exe
Token: SeCreatePagefilePrivilege	1264	powercfg.exe
Token: SeShutdownPrivilege	2904	powercfg.exe
Token: SeCreatePagefilePrivilege	2904	powercfg.exe
Token: SeShutdownPrivilege	4600	powercfg.exe
Token: SeCreatePagefilePrivilege	4600	powercfg.exe
Token: SeShutdownPrivilege	3296	powercfg.exe
Token: SeCreatePagefilePrivilege	3296	powercfg.exe
Token: SeLockMemoryPrivilege	2300	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 3860	4316	dckuybanmlgp.exe	121
PID 4316 wrote to memory of 3860	4316	dckuybanmlgp.exe	121
PID 4316 wrote to memory of 3860	4316	dckuybanmlgp.exe	121
PID 4316 wrote to memory of 3860	4316	dckuybanmlgp.exe	121
PID 4316 wrote to memory of 3860	4316	dckuybanmlgp.exe	121
PID 4316 wrote to memory of 3860	4316	dckuybanmlgp.exe	121
PID 4316 wrote to memory of 3860	4316	dckuybanmlgp.exe	121
PID 4316 wrote to memory of 3860	4316	dckuybanmlgp.exe	121
PID 4316 wrote to memory of 3860	4316	dckuybanmlgp.exe	121
PID 4316 wrote to memory of 2300	4316	dckuybanmlgp.exe	126
PID 4316 wrote to memory of 2300	4316	dckuybanmlgp.exe	126
PID 4316 wrote to memory of 2300	4316	dckuybanmlgp.exe	126
PID 4316 wrote to memory of 2300	4316	dckuybanmlgp.exe	126
PID 4316 wrote to memory of 2300	4316	dckuybanmlgp.exe	126
PID 4316 wrote to memory of 2300	4316	dckuybanmlgp.exe	126
PID 4316 wrote to memory of 2300	4316	dckuybanmlgp.exe	126
PID 4316 wrote to memory of 2300	4316	dckuybanmlgp.exe	126
PID 4316 wrote to memory of 2300	4316	dckuybanmlgp.exe	126
PID 4316 wrote to memory of 2300	4316	dckuybanmlgp.exe	126
PID 4316 wrote to memory of 2300	4316	dckuybanmlgp.exe	126
PID 4316 wrote to memory of 2300	4316	dckuybanmlgp.exe	126

C:\Users\Admin\AppData\Local\Temp\d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
"C:\Users\Admin\AppData\Local\Temp\d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2184
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3568
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3580
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "OBGPQMHF"
  2⤵
  - Launches sc.exe
  PID:1152
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:408
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:4816
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "OBGPQMHF"
  2⤵
  - Launches sc.exe
  PID:960

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3296
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3860
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
3.9MB

MD5
b382cab00edfdcf05333318355dd383c

SHA1
31fb3820e0123233e77b5c320fe7d5024fa43856

SHA256
90da489b3c7cf742ab840807b072ed47950fb67ce4cee1a6cd835b3409d9431f

SHA512
544855e8d53e68a413131a7d35e8e938ac31defc4909acad8487953933a363a71f03184e67749fbfe13be9c1360cfd7d50d47eb7e5bf0147e314ed9b316b83cc

Download Submit
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
4.1MB

MD5
7a14a246be9de763b13a89cd86cbc70e

SHA1
a4a77466cbed5fac575b4bce10ab2078b6486acb

SHA256
e6f63117de19c9c47bfbe7d06ad363443df3c9d822f4ce26c5407f399aaddcd6

SHA512
82931da0fece44848bba57443c0d45b8334519942ba8f67da0ebebbb1c4c0a2c9b5cfafe5abcd1d814cdb7524954ca138813588535f63b174b66e473b47de7ab

Download Submit
memory/2184-0-0x00007FFD895D0000-0x00007FFD895D2000-memory.dmp

Filesize
8KB

Download
memory/2184-2-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2184-1-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2184-5-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2300-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2300-26-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2300-42-0x00000209889E0000-0x0000020988A00000-memory.dmp

Filesize
128KB

Download
memory/2300-41-0x00000209889E0000-0x0000020988A00000-memory.dmp

Filesize
128KB

Download
memory/2300-40-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2300-39-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2300-38-0x00000209889A0000-0x00000209889E0000-memory.dmp

Filesize
256KB

Download
memory/2300-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2300-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2300-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2300-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2300-23-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2300-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2300-25-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2300-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2300-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2300-28-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2300-30-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2300-31-0x0000020988930000-0x0000020988950000-memory.dmp

Filesize
128KB

Download
memory/2300-33-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2300-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3860-19-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3860-16-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3860-15-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3860-14-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3860-13-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3860-12-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4316-9-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/4316-32-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/4316-10-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download

Analysis

Sharing