xmrig | d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

General

Target

tmp.exe
Size

10.7MB
MD5

b091c4848287be6601d720997394d453
SHA1

9180e34175e1f4644d5fa63227d665b2be15c75b
SHA256

d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe
SHA512

a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a
SSDEEP

196608:oPnV1Bk/fRaGxUCBIORz5Z2YoZX0tMmp6tgq1D//XxdgPxwdT:oPKfR/UCBF+dZX0tMft/vxdgpG

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3564-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3564-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3564-23-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3564-24-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3564-25-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3564-26-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3564-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3564-28-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3564-31-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3564-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3564-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3564-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3564-38-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3564-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3564-49-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3564-50-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 2 IoCs

Processes:

dckuybanmlgp.exedckuybanmlgp.exe

pid process

3916 dckuybanmlgp.exe
3204 dckuybanmlgp.exe

pid	process
3916	dckuybanmlgp.exe
3204	dckuybanmlgp.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

dckuybanmlgp.exe

description	pid	process	target process
PID 3916 set thread context of 1280	3916	dckuybanmlgp.exe	conhost.exe
PID 3916 set thread context of 3564	3916	dckuybanmlgp.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2988 sc.exe
3312 sc.exe
4780 sc.exe
3204 sc.exe

pid	process
2988	sc.exe
3312	sc.exe
4780	sc.exe
3204	sc.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

tmp.exedckuybanmlgp.execonhost.exedckuybanmlgp.exe

pid	process
2456	tmp.exe
2456	tmp.exe
2456	tmp.exe
2456	tmp.exe
2456	tmp.exe
2456	tmp.exe
2456	tmp.exe
2456	tmp.exe
2456	tmp.exe
2456	tmp.exe
3916	dckuybanmlgp.exe
3916	dckuybanmlgp.exe
3916	dckuybanmlgp.exe
3916	dckuybanmlgp.exe
3916	dckuybanmlgp.exe
3916	dckuybanmlgp.exe
3916	dckuybanmlgp.exe
3916	dckuybanmlgp.exe
1280	conhost.exe
3204	dckuybanmlgp.exe
3204	dckuybanmlgp.exe
3204	dckuybanmlgp.exe
3204	dckuybanmlgp.exe
3204	dckuybanmlgp.exe
3204	dckuybanmlgp.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

664

pid	process
664

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	4312	powercfg.exe
Token: SeCreatePagefilePrivilege	4312	powercfg.exe
Token: SeShutdownPrivilege	4052	powercfg.exe
Token: SeCreatePagefilePrivilege	4052	powercfg.exe
Token: SeShutdownPrivilege	2416	powercfg.exe
Token: SeCreatePagefilePrivilege	2416	powercfg.exe
Token: SeShutdownPrivilege	3052	powercfg.exe
Token: SeCreatePagefilePrivilege	3052	powercfg.exe
Token: SeShutdownPrivilege	3368	powercfg.exe
Token: SeCreatePagefilePrivilege	3368	powercfg.exe
Token: SeShutdownPrivilege	2192	powercfg.exe
Token: SeCreatePagefilePrivilege	2192	powercfg.exe
Token: SeShutdownPrivilege	2432	powercfg.exe
Token: SeCreatePagefilePrivilege	2432	powercfg.exe
Token: SeShutdownPrivilege	3588	powercfg.exe
Token: SeCreatePagefilePrivilege	3588	powercfg.exe
Token: SeLockMemoryPrivilege	3564	svchost.exe
Token: SeShutdownPrivilege	4128	powercfg.exe
Token: SeCreatePagefilePrivilege	4128	powercfg.exe
Token: SeShutdownPrivilege	3540	powercfg.exe
Token: SeCreatePagefilePrivilege	3540	powercfg.exe
Token: SeShutdownPrivilege	1728	powercfg.exe
Token: SeCreatePagefilePrivilege	1728	powercfg.exe
Token: SeShutdownPrivilege	4136	powercfg.exe
Token: SeCreatePagefilePrivilege	4136	powercfg.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

dckuybanmlgp.exe

description	pid	process	target process
PID 3916 wrote to memory of 1280	3916	dckuybanmlgp.exe	conhost.exe
PID 3916 wrote to memory of 1280	3916	dckuybanmlgp.exe	conhost.exe
PID 3916 wrote to memory of 1280	3916	dckuybanmlgp.exe	conhost.exe
PID 3916 wrote to memory of 1280	3916	dckuybanmlgp.exe	conhost.exe
PID 3916 wrote to memory of 1280	3916	dckuybanmlgp.exe	conhost.exe
PID 3916 wrote to memory of 1280	3916	dckuybanmlgp.exe	conhost.exe
PID 3916 wrote to memory of 1280	3916	dckuybanmlgp.exe	conhost.exe
PID 3916 wrote to memory of 1280	3916	dckuybanmlgp.exe	conhost.exe
PID 3916 wrote to memory of 1280	3916	dckuybanmlgp.exe	conhost.exe
PID 3916 wrote to memory of 3564	3916	dckuybanmlgp.exe	svchost.exe
PID 3916 wrote to memory of 3564	3916	dckuybanmlgp.exe	svchost.exe
PID 3916 wrote to memory of 3564	3916	dckuybanmlgp.exe	svchost.exe
PID 3916 wrote to memory of 3564	3916	dckuybanmlgp.exe	svchost.exe
PID 3916 wrote to memory of 3564	3916	dckuybanmlgp.exe	svchost.exe
PID 3916 wrote to memory of 3564	3916	dckuybanmlgp.exe	svchost.exe
PID 3916 wrote to memory of 3564	3916	dckuybanmlgp.exe	svchost.exe
PID 3916 wrote to memory of 3564	3916	dckuybanmlgp.exe	svchost.exe
PID 3916 wrote to memory of 3564	3916	dckuybanmlgp.exe	svchost.exe
PID 3916 wrote to memory of 3564	3916	dckuybanmlgp.exe	svchost.exe
PID 3916 wrote to memory of 3564	3916	dckuybanmlgp.exe	svchost.exe
PID 3916 wrote to memory of 3564	3916	dckuybanmlgp.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2456
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4312
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "OBGPQMHF"
  2⤵
  - Launches sc.exe
  PID:3204
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2988
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:3312
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "OBGPQMHF"
  2⤵
  - Launches sc.exe
  PID:4780

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3368
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3588
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1280
- - C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
    "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3204
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1728
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3540
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4128
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4136
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8
1⤵
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
2.2MB

MD5
58496ce1743a0a1e1765fbf30d6a7e71

SHA1
b24b839fc759cdca0b740ee184a23e8d87c8a45a

SHA256
8d3fa008e9effe92d050eaf09d90208080dc2249f2014a5ad84ccbf36c237ad7

SHA512
6bbf73a63b71cfa8393311a139cff03f288016dc00eacf1067441b9961f6d16033f4c218afa87ac00a412b99f9dfe9eacb351fd2c13ae7c1076ccd8cb91574d2

Download Submit
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
1.9MB

MD5
76c4fa4f8a0547684443bf55ec47b52a

SHA1
22b7abb6186c494e453673db38bb6d0fde9637b1

SHA256
d73d18bf63aa110fe12cdb43e6651b319d6902616a5ceac13ebe4c5b3cfe18f2

SHA512
8739b861ca7237592ef3c5158356185918e08c31f1cc63d0287970e7949b9e5d6ee916915c1502b6b374f50fc4948acd38afaf6198307d3142294ce84eea4fbd

Download Submit
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
8.6MB

MD5
a1d4e28210c8283f80b4347423050c6d

SHA1
9110f60dc707d46965b55a7a66e6b83b689f7009

SHA256
7623c1d8abe3bb8f9db68d3eec50d4a3f83abafaee97e56cfd68e3288c49fee8

SHA512
cbf3c4191e906d2e29191a70439d95d630015273a458966b7da551fd971eab547783666d1506ba8372a35fe5c4e63c3031db263134c3cb798cef5681ca432db2

Download Submit
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
4.2MB

MD5
e73f294731d6f1ceec47791ef911a6a4

SHA1
fecd95a89731f2209a800ace095ccba11eeecd01

SHA256
ed5ca59412256fd3f5a395d29d392b506768d7141142ebd32a2be0844de715b8

SHA512
906ae457e637b335506227a8b616bbb02636a8e4cb056be3fd836409f8bef092bccea4a2d960eaf53e27a1ffd7b19ce6a37c05cff1626f8c8fdb6cd39b6d922e

Download Submit
C:\Windows\TEMP\gdaawrhfdlcr.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
memory/1280-15-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1280-12-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1280-13-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1280-16-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1280-14-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1280-19-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2456-5-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2456-0-0x00007FFB96910000-0x00007FFB96912000-memory.dmp

Filesize
8KB

Download
memory/2456-1-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2456-2-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/3204-47-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/3204-43-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/3564-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3564-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3564-25-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3564-26-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3564-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3564-28-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3564-52-0x000001C19BF00000-0x000001C19BF20000-memory.dmp

Filesize
128KB

Download
memory/3564-31-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3564-32-0x000001C19BE60000-0x000001C19BE80000-memory.dmp

Filesize
128KB

Download
memory/3564-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3564-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3564-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3564-38-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3564-23-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3564-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3564-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3564-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3564-51-0x000001C19BF00000-0x000001C19BF20000-memory.dmp

Filesize
128KB

Download
memory/3564-50-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3564-48-0x000001C19BEC0000-0x000001C19BF00000-memory.dmp

Filesize
256KB

Download
memory/3564-49-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3916-9-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/3916-10-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/3916-30-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads