xmrig | d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-03-2024 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

10.7MB
MD5

b091c4848287be6601d720997394d453
SHA1

9180e34175e1f4644d5fa63227d665b2be15c75b
SHA256

d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe
SHA512

a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a
SSDEEP

196608:oPnV1Bk/fRaGxUCBIORz5Z2YoZX0tMmp6tgq1D//XxdgPxwdT:oPKfR/UCBF+dZX0tMft/vxdgpG

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2680-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2680-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2680-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2680-38-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2680-39-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2680-40-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2680-41-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2680-42-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2680-44-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2680-47-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2680-50-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2680-51-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2680-52-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2680-53-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2680-62-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2680-63-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 3 IoCs

Processes:

dckuybanmlgp.exedckuybanmlgp.exe

pid process

468
2460 dckuybanmlgp.exe
1968 dckuybanmlgp.exe
Loads dropped DLL 1 IoCs

Processes:

pid process

468

pid	process
468
2460	dckuybanmlgp.exe
1968	dckuybanmlgp.exe

pid	process
468

Suspicious use of SetThreadContext 2 IoCs

Processes:

dckuybanmlgp.exe

description	pid	process	target process
PID 2460 set thread context of 1940	2460	dckuybanmlgp.exe	conhost.exe
PID 2460 set thread context of 2680	2460	dckuybanmlgp.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2560 sc.exe
2592 sc.exe
2428 sc.exe
2640 sc.exe

pid	process
2560	sc.exe
2592	sc.exe
2428	sc.exe
2640	sc.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

tmp.exedckuybanmlgp.execonhost.exedckuybanmlgp.exe

pid	process
2904	tmp.exe
2904	tmp.exe
2904	tmp.exe
2904	tmp.exe
2904	tmp.exe
2904	tmp.exe
2904	tmp.exe
2904	tmp.exe
2904	tmp.exe
2460	dckuybanmlgp.exe
2460	dckuybanmlgp.exe
2460	dckuybanmlgp.exe
2460	dckuybanmlgp.exe
2460	dckuybanmlgp.exe
2460	dckuybanmlgp.exe
2460	dckuybanmlgp.exe
1940	conhost.exe
1968	dckuybanmlgp.exe
1968	dckuybanmlgp.exe
1968	dckuybanmlgp.exe
1968	dckuybanmlgp.exe
1968	dckuybanmlgp.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	2536	powercfg.exe
Token: SeShutdownPrivilege	2620	powercfg.exe
Token: SeShutdownPrivilege	2664	powercfg.exe
Token: SeShutdownPrivilege	2616	powercfg.exe
Token: SeShutdownPrivilege	1036	powercfg.exe
Token: SeShutdownPrivilege	2388	powercfg.exe
Token: SeShutdownPrivilege	2208	powercfg.exe
Token: SeShutdownPrivilege	2872	powercfg.exe
Token: SeLockMemoryPrivilege	2680	svchost.exe
Token: SeShutdownPrivilege	896	powercfg.exe
Token: SeShutdownPrivilege	3052	powercfg.exe
Token: SeShutdownPrivilege	1840	powercfg.exe
Token: SeShutdownPrivilege	2744	powercfg.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

dckuybanmlgp.exe

description	pid	process	target process
PID 2460 wrote to memory of 1940	2460	dckuybanmlgp.exe	conhost.exe
PID 2460 wrote to memory of 1940	2460	dckuybanmlgp.exe	conhost.exe
PID 2460 wrote to memory of 1940	2460	dckuybanmlgp.exe	conhost.exe
PID 2460 wrote to memory of 1940	2460	dckuybanmlgp.exe	conhost.exe
PID 2460 wrote to memory of 1940	2460	dckuybanmlgp.exe	conhost.exe
PID 2460 wrote to memory of 1940	2460	dckuybanmlgp.exe	conhost.exe
PID 2460 wrote to memory of 1940	2460	dckuybanmlgp.exe	conhost.exe
PID 2460 wrote to memory of 1940	2460	dckuybanmlgp.exe	conhost.exe
PID 2460 wrote to memory of 1940	2460	dckuybanmlgp.exe	conhost.exe
PID 2460 wrote to memory of 2680	2460	dckuybanmlgp.exe	svchost.exe
PID 2460 wrote to memory of 2680	2460	dckuybanmlgp.exe	svchost.exe
PID 2460 wrote to memory of 2680	2460	dckuybanmlgp.exe	svchost.exe
PID 2460 wrote to memory of 2680	2460	dckuybanmlgp.exe	svchost.exe
PID 2460 wrote to memory of 2680	2460	dckuybanmlgp.exe	svchost.exe
PID 2460 wrote to memory of 2680	2460	dckuybanmlgp.exe	svchost.exe
PID 2460 wrote to memory of 2680	2460	dckuybanmlgp.exe	svchost.exe
PID 2460 wrote to memory of 2680	2460	dckuybanmlgp.exe	svchost.exe
PID 2460 wrote to memory of 2680	2460	dckuybanmlgp.exe	svchost.exe
PID 2460 wrote to memory of 2680	2460	dckuybanmlgp.exe	svchost.exe
PID 2460 wrote to memory of 2680	2460	dckuybanmlgp.exe	svchost.exe
PID 2460 wrote to memory of 2680	2460	dckuybanmlgp.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2904
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "OBGPQMHF"
  2⤵
  - Launches sc.exe
  PID:2560
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2592
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:2428
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "OBGPQMHF"
  2⤵
  - Launches sc.exe
  PID:2640

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1940
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1968
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:896
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3052
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1840
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2744
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
4.6MB

MD5
0c577103fc8c0ea85b678c28c30588ca

SHA1
54c2bdedf905ce944fddf2769c1929bc10a0ce88

SHA256
23c0498ea85ef4ec35bdc427a71a82021b87f9a3706e82482509b85e8cd14e64

SHA512
41767c774d2b76d8afb4b634bfd7c252ef3a77b8797f9f63dd9b24a90ec71df388e0c671344c2bf70e341d0158432c10485a567b69533a27b8afc58a174a429a

Download Submit
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
1024KB

MD5
ab419abd1f043ee9af2f484dce2892d8

SHA1
58bc62e58d61fd2ed94e951d37a020657c7d65ba

SHA256
1b5df37d687b0d4f3ae9878eb01d180de3ae3732fc63452dda2710f401068311

SHA512
cb120a7f7e2b6c60d446b5d3f20aa0431f067647c84646b507c465823669d374d258e0ba068a8205bc2548456385253e2ad5d7b98aa5ea6a9ae93cc7c192c6e0

Download Submit
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
2.4MB

MD5
fb962d97b3b6def202c142209d4950dd

SHA1
333d553affa8e689c08d2533e57baa4be8de6599

SHA256
985fad3b0d44257e898d4a4e03cffdc34d43a1609ed37a363f3fd831e2acde0f

SHA512
67c2d0131db24160bc7e0c5b79f06400c42395b49f65cd18adee5585a1fa93612448d15f351361d859a9905c5b653a3dbba5e6cd61affb8ed500d46aae337f12

Download Submit
C:\Windows\TEMP\gdaawrhfdlcr.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
3.9MB

MD5
b382cab00edfdcf05333318355dd383c

SHA1
31fb3820e0123233e77b5c320fe7d5024fa43856

SHA256
90da489b3c7cf742ab840807b072ed47950fb67ce4cee1a6cd835b3409d9431f

SHA512
544855e8d53e68a413131a7d35e8e938ac31defc4909acad8487953933a363a71f03184e67749fbfe13be9c1360cfd7d50d47eb7e5bf0147e314ed9b316b83cc

Download Submit
\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
3.7MB

MD5
564708c7771647c370669dfee135f095

SHA1
0fec68c05630d973185b143fa0b21c1ae44e01b2

SHA256
3a104a74340ceceace81da068f1c83a428dce89e515a7724a2f6c84b5988d5c2

SHA512
86d17f4bb8db4ccda91e7167bef32a5634b53b08c347f75e08bd0cc63cd1e41886cdf5d496cd32aab7d8f6d8dae059b516ce1f53432f2b8b67307a87c59d85e8

Download Submit
memory/1940-26-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1940-32-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1940-30-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1940-29-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1940-28-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1940-27-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1968-58-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/1968-61-0x0000000077910000-0x0000000077AB9000-memory.dmp

Filesize
1.7MB

Download
memory/1968-69-0x0000000077910000-0x0000000077AB9000-memory.dmp

Filesize
1.7MB

Download
memory/1968-70-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2460-24-0x0000000077910000-0x0000000077AB9000-memory.dmp

Filesize
1.7MB

Download
memory/2460-22-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2460-19-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2460-49-0x0000000077910000-0x0000000077AB9000-memory.dmp

Filesize
1.7MB

Download
memory/2460-48-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2680-38-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2680-47-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2680-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2680-65-0x00000000004A0000-0x00000000004C0000-memory.dmp

Filesize
128KB

Download
memory/2680-39-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2680-40-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2680-41-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2680-42-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2680-44-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2680-45-0x0000000000140000-0x0000000000160000-memory.dmp

Filesize
128KB

Download
memory/2680-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2680-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2680-64-0x00000000004A0000-0x00000000004C0000-memory.dmp

Filesize
128KB

Download
memory/2680-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2680-50-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2680-51-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2680-52-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2680-53-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2680-63-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2680-62-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2904-8-0x0000000077910000-0x0000000077AB9000-memory.dmp

Filesize
1.7MB

Download
memory/2904-10-0x0000000077910000-0x0000000077AB9000-memory.dmp

Filesize
1.7MB

Download
memory/2904-15-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2904-0-0x0000000077AC0000-0x0000000077AC2000-memory.dmp

Filesize
8KB

Download
memory/2904-4-0x0000000077AC0000-0x0000000077AC2000-memory.dmp

Filesize
8KB

Download
memory/2904-5-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2904-2-0x0000000077AC0000-0x0000000077AC2000-memory.dmp

Filesize
8KB

Download