xmrig | d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

General

Target

d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
Size

10.7MB
MD5

b091c4848287be6601d720997394d453
SHA1

9180e34175e1f4644d5fa63227d665b2be15c75b
SHA256

d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe
SHA512

a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a
SSDEEP

196608:oPnV1Bk/fRaGxUCBIORz5Z2YoZX0tMmp6tgq1D//XxdgPxwdT:oPKfR/UCBF+dZX0tMft/vxdgpG

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4372-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4372-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4372-23-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4372-24-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4372-25-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4372-26-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4372-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4372-28-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4372-31-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4372-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4372-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4372-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4372-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4372-38-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4372-49-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4372-50-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 2 IoCs

Processes:

dckuybanmlgp.exedckuybanmlgp.exe

pid process

2812 dckuybanmlgp.exe
1580 dckuybanmlgp.exe

pid	process
2812	dckuybanmlgp.exe
1580	dckuybanmlgp.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

dckuybanmlgp.exe

description	pid	process	target process
PID 2812 set thread context of 3008	2812	dckuybanmlgp.exe	conhost.exe
PID 2812 set thread context of 4372	2812	dckuybanmlgp.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1424 sc.exe
4316 sc.exe
4504 sc.exe
3684 sc.exe

pid	process
1424	sc.exe
4316	sc.exe
4504	sc.exe
3684	sc.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exedckuybanmlgp.execonhost.exedckuybanmlgp.exe

pid	process
3624	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
3624	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
3624	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
3624	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
3624	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
3624	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
3624	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
3624	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
3624	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
3624	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2812	dckuybanmlgp.exe
2812	dckuybanmlgp.exe
2812	dckuybanmlgp.exe
2812	dckuybanmlgp.exe
2812	dckuybanmlgp.exe
2812	dckuybanmlgp.exe
2812	dckuybanmlgp.exe
2812	dckuybanmlgp.exe
3008	conhost.exe
1580	dckuybanmlgp.exe
1580	dckuybanmlgp.exe
1580	dckuybanmlgp.exe
1580	dckuybanmlgp.exe
1580	dckuybanmlgp.exe
1580	dckuybanmlgp.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

668

pid	process
668

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	4728	powercfg.exe
Token: SeCreatePagefilePrivilege	4728	powercfg.exe
Token: SeShutdownPrivilege	4680	powercfg.exe
Token: SeCreatePagefilePrivilege	4680	powercfg.exe
Token: SeShutdownPrivilege	1256	powercfg.exe
Token: SeCreatePagefilePrivilege	1256	powercfg.exe
Token: SeShutdownPrivilege	2332	powercfg.exe
Token: SeCreatePagefilePrivilege	2332	powercfg.exe
Token: SeShutdownPrivilege	856	powercfg.exe
Token: SeCreatePagefilePrivilege	856	powercfg.exe
Token: SeShutdownPrivilege	4660	powercfg.exe
Token: SeCreatePagefilePrivilege	4660	powercfg.exe
Token: SeShutdownPrivilege	2756	powercfg.exe
Token: SeCreatePagefilePrivilege	2756	powercfg.exe
Token: SeShutdownPrivilege	1640	powercfg.exe
Token: SeCreatePagefilePrivilege	1640	powercfg.exe
Token: SeLockMemoryPrivilege	4372	svchost.exe
Token: SeShutdownPrivilege	424	powercfg.exe
Token: SeCreatePagefilePrivilege	424	powercfg.exe
Token: SeShutdownPrivilege	5036	powercfg.exe
Token: SeCreatePagefilePrivilege	5036	powercfg.exe
Token: SeShutdownPrivilege	4648	powercfg.exe
Token: SeCreatePagefilePrivilege	4648	powercfg.exe
Token: SeShutdownPrivilege	3076	powercfg.exe
Token: SeCreatePagefilePrivilege	3076	powercfg.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

dckuybanmlgp.exe

description	pid	process	target process
PID 2812 wrote to memory of 3008	2812	dckuybanmlgp.exe	conhost.exe
PID 2812 wrote to memory of 3008	2812	dckuybanmlgp.exe	conhost.exe
PID 2812 wrote to memory of 3008	2812	dckuybanmlgp.exe	conhost.exe
PID 2812 wrote to memory of 3008	2812	dckuybanmlgp.exe	conhost.exe
PID 2812 wrote to memory of 3008	2812	dckuybanmlgp.exe	conhost.exe
PID 2812 wrote to memory of 3008	2812	dckuybanmlgp.exe	conhost.exe
PID 2812 wrote to memory of 3008	2812	dckuybanmlgp.exe	conhost.exe
PID 2812 wrote to memory of 3008	2812	dckuybanmlgp.exe	conhost.exe
PID 2812 wrote to memory of 3008	2812	dckuybanmlgp.exe	conhost.exe
PID 2812 wrote to memory of 4372	2812	dckuybanmlgp.exe	svchost.exe
PID 2812 wrote to memory of 4372	2812	dckuybanmlgp.exe	svchost.exe
PID 2812 wrote to memory of 4372	2812	dckuybanmlgp.exe	svchost.exe
PID 2812 wrote to memory of 4372	2812	dckuybanmlgp.exe	svchost.exe
PID 2812 wrote to memory of 4372	2812	dckuybanmlgp.exe	svchost.exe
PID 2812 wrote to memory of 4372	2812	dckuybanmlgp.exe	svchost.exe
PID 2812 wrote to memory of 4372	2812	dckuybanmlgp.exe	svchost.exe
PID 2812 wrote to memory of 4372	2812	dckuybanmlgp.exe	svchost.exe
PID 2812 wrote to memory of 4372	2812	dckuybanmlgp.exe	svchost.exe
PID 2812 wrote to memory of 4372	2812	dckuybanmlgp.exe	svchost.exe
PID 2812 wrote to memory of 4372	2812	dckuybanmlgp.exe	svchost.exe
PID 2812 wrote to memory of 4372	2812	dckuybanmlgp.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
"C:\Users\Admin\AppData\Local\Temp\d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3624
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4728
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4680
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "OBGPQMHF"
  2⤵
  - Launches sc.exe
  PID:1424
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:4316
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:4504
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "OBGPQMHF"
  2⤵
  - Launches sc.exe
  PID:3684

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4660
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3008
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1580
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3076
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4648
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5036
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:424
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
1.4MB

MD5
e0e8d034b8654bbf1ed518979086321b

SHA1
c361f85c770a599e2c23900ac0ae355cf357087c

SHA256
fbd661e7153218b3171f8ddc324d1e019dd00d94c27c5ddfdf90ccfb6b8382ba

SHA512
9b21d059044c22e08d6fa03de404c31c42c202cbfd4d14253ec68d49e5b86f4f91382b10ba59123ad385d33987b3c997ab812d46b12a08815bebcd5acec78d34

Download Submit
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
3.6MB

MD5
d309ca9e83a0ae14a38ed8969965e27c

SHA1
85ee4e0d6fe9268fd9b9b7ba0f114c43d5fd0fc4

SHA256
60563712f328e7569a99cae67897d0f321be27c17502a45d61e5d3aff5c6038b

SHA512
b0a38fbe02ab10c8e2d725bf64f8d519587ffe7531ff193d44d60111ec2dc0063b93922cf0441d6ba3acfbcbc37cf2ab606afce45a8db4686723b4808ab48f8b

Download Submit
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
3.7MB

MD5
564708c7771647c370669dfee135f095

SHA1
0fec68c05630d973185b143fa0b21c1ae44e01b2

SHA256
3a104a74340ceceace81da068f1c83a428dce89e515a7724a2f6c84b5988d5c2

SHA512
86d17f4bb8db4ccda91e7167bef32a5634b53b08c347f75e08bd0cc63cd1e41886cdf5d496cd32aab7d8f6d8dae059b516ce1f53432f2b8b67307a87c59d85e8

Download Submit
C:\Windows\TEMP\gdaawrhfdlcr.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
memory/1580-47-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/1580-43-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2812-30-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2812-10-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2812-9-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/3008-12-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3008-14-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3008-15-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3008-16-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3008-19-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3008-13-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3624-0-0x00007FFE661C0000-0x00007FFE661C2000-memory.dmp

Filesize
8KB

Download
memory/3624-5-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/3624-1-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/3624-2-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/4372-26-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4372-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4372-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4372-28-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4372-31-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4372-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4372-33-0x0000020144FF0000-0x0000020145010000-memory.dmp

Filesize
128KB

Download
memory/4372-23-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4372-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4372-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4372-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4372-25-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4372-38-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4372-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4372-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4372-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4372-48-0x0000020145050000-0x0000020145090000-memory.dmp

Filesize
256KB

Download
memory/4372-49-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4372-50-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4372-51-0x00000201450B0000-0x00000201450D0000-memory.dmp

Filesize
128KB

Download
memory/4372-52-0x00000201450B0000-0x00000201450D0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads