xmrig | d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

General

Target

b091c4848287be6601d720997394d453.exe
Size

10.7MB
MD5

b091c4848287be6601d720997394d453
SHA1

9180e34175e1f4644d5fa63227d665b2be15c75b
SHA256

d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe
SHA512

a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a
SSDEEP

196608:oPnV1Bk/fRaGxUCBIORz5Z2YoZX0tMmp6tgq1D//XxdgPxwdT:oPKfR/UCBF+dZX0tMft/vxdgpG

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral2/memory/716-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/716-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/716-23-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/716-24-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/716-25-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/716-26-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/716-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/716-28-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/716-30-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/716-33-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/716-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/716-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/716-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/716-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/716-39-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/716-40-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
4700	dckuybanmlgp.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4700 set thread context of 864	4700	dckuybanmlgp.exe	121
PID 4700 set thread context of 716	4700	dckuybanmlgp.exe	126

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4640	sc.exe
1200	sc.exe
5064	sc.exe
4704	sc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3404	b091c4848287be6601d720997394d453.exe
3404	b091c4848287be6601d720997394d453.exe
3404	b091c4848287be6601d720997394d453.exe
3404	b091c4848287be6601d720997394d453.exe
3404	b091c4848287be6601d720997394d453.exe
3404	b091c4848287be6601d720997394d453.exe
3404	b091c4848287be6601d720997394d453.exe
3404	b091c4848287be6601d720997394d453.exe
3404	b091c4848287be6601d720997394d453.exe
3404	b091c4848287be6601d720997394d453.exe
4700	dckuybanmlgp.exe
4700	dckuybanmlgp.exe
4700	dckuybanmlgp.exe
4700	dckuybanmlgp.exe
4700	dckuybanmlgp.exe
4700	dckuybanmlgp.exe
4700	dckuybanmlgp.exe
4700	dckuybanmlgp.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4992	powercfg.exe
Token: SeCreatePagefilePrivilege	4992	powercfg.exe
Token: SeShutdownPrivilege	376	powercfg.exe
Token: SeCreatePagefilePrivilege	376	powercfg.exe
Token: SeShutdownPrivilege	3388	powercfg.exe
Token: SeCreatePagefilePrivilege	3388	powercfg.exe
Token: SeShutdownPrivilege	2912	powercfg.exe
Token: SeCreatePagefilePrivilege	2912	powercfg.exe
Token: SeShutdownPrivilege	2872	powercfg.exe
Token: SeCreatePagefilePrivilege	2872	powercfg.exe
Token: SeShutdownPrivilege	3768	powercfg.exe
Token: SeCreatePagefilePrivilege	3768	powercfg.exe
Token: SeShutdownPrivilege	3420	powercfg.exe
Token: SeCreatePagefilePrivilege	3420	powercfg.exe
Token: SeShutdownPrivilege	4472	powercfg.exe
Token: SeCreatePagefilePrivilege	4472	powercfg.exe
Token: SeLockMemoryPrivilege	716	svchost.exe
Token: SeManageVolumePrivilege	3436	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 864	4700	dckuybanmlgp.exe	121
PID 4700 wrote to memory of 864	4700	dckuybanmlgp.exe	121
PID 4700 wrote to memory of 864	4700	dckuybanmlgp.exe	121
PID 4700 wrote to memory of 864	4700	dckuybanmlgp.exe	121
PID 4700 wrote to memory of 864	4700	dckuybanmlgp.exe	121
PID 4700 wrote to memory of 864	4700	dckuybanmlgp.exe	121
PID 4700 wrote to memory of 864	4700	dckuybanmlgp.exe	121
PID 4700 wrote to memory of 864	4700	dckuybanmlgp.exe	121
PID 4700 wrote to memory of 864	4700	dckuybanmlgp.exe	121
PID 4700 wrote to memory of 716	4700	dckuybanmlgp.exe	126
PID 4700 wrote to memory of 716	4700	dckuybanmlgp.exe	126
PID 4700 wrote to memory of 716	4700	dckuybanmlgp.exe	126
PID 4700 wrote to memory of 716	4700	dckuybanmlgp.exe	126
PID 4700 wrote to memory of 716	4700	dckuybanmlgp.exe	126
PID 4700 wrote to memory of 716	4700	dckuybanmlgp.exe	126
PID 4700 wrote to memory of 716	4700	dckuybanmlgp.exe	126
PID 4700 wrote to memory of 716	4700	dckuybanmlgp.exe	126
PID 4700 wrote to memory of 716	4700	dckuybanmlgp.exe	126
PID 4700 wrote to memory of 716	4700	dckuybanmlgp.exe	126
PID 4700 wrote to memory of 716	4700	dckuybanmlgp.exe	126
PID 4700 wrote to memory of 716	4700	dckuybanmlgp.exe	126

C:\Users\Admin\AppData\Local\Temp\b091c4848287be6601d720997394d453.exe
"C:\Users\Admin\AppData\Local\Temp\b091c4848287be6601d720997394d453.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3404
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3388
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "OBGPQMHF"
  2⤵
  - Launches sc.exe
  PID:4640
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:1200
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:5064
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "OBGPQMHF"
  2⤵
  - Launches sc.exe
  PID:4704

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3768
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3420
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:864
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:716

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
10.1MB

MD5
bb7515de485eebec20e4b4b4d1342629

SHA1
3d8a51e523344b609b2c7855a125ffbc6e4e3931

SHA256
a92311f5c74681189e1faeb888eec8f4a3cc89467f2b655ae5f7f4da065b3ddc

SHA512
091c12d6babe108ac2d44e3f4bef38aa30c095379055cb9268a49b5d70dfc3682388b834c773443111b89144cb9c88acb0767bf78e19ed70839860703988e82a

Download Submit
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
9.9MB

MD5
268f23693edff6f884dbce6ff9d45e6a

SHA1
738c948fdf47859f960b9dadb03b54656bf7acf6

SHA256
8c95d5f83fa051a414e2cce915c6a3061c10a84114fc9ec3ac34c610250b5359

SHA512
3b11730fcec7c39fb912a550fa3c4cb2080a119c4dc51e4f7c8e980d514bf8a1bfcfc407bcbb56af69880a6608976dc994c8810fb123e6de7857f4e90917519b

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
f84b94e7c234df7d09b7941459f51ae1

SHA1
d210a63fef798726e92e22dbef3473205b99d7d9

SHA256
ae21fbbb4eabcbe0db49dc0760f34be62a495829df8bd8b745261228137ca509

SHA512
3eceb635c9f383a82877cfca956dbfa752e91f6c44aefbce1475868f8915855f6b33a0139ce1c6f7468a688eb13c60bb919b7f2472542d67e9535e3aef33fec6

Download Submit
memory/716-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/716-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/716-42-0x000001F0AD060000-0x000001F0AD080000-memory.dmp

Filesize
128KB

Download
memory/716-40-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/716-39-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/716-38-0x000001F0AC9D0000-0x000001F0AC9F0000-memory.dmp

Filesize
128KB

Download
memory/716-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/716-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/716-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/716-31-0x000001F0AC960000-0x000001F0AC980000-memory.dmp

Filesize
128KB

Download
memory/716-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/716-41-0x000001F0AD060000-0x000001F0AD080000-memory.dmp

Filesize
128KB

Download
memory/716-33-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/716-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/716-23-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/716-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/716-25-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/716-26-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/716-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/716-28-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/716-30-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/864-13-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/864-12-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/864-15-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/864-19-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/864-16-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/864-14-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3404-0-0x00007FFE09C70000-0x00007FFE09C72000-memory.dmp

Filesize
8KB

Download
memory/3404-5-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/3404-1-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/3404-2-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/3436-43-0x000001E61BF40000-0x000001E61BF50000-memory.dmp

Filesize
64KB

Download
memory/3436-59-0x000001E61C040000-0x000001E61C050000-memory.dmp

Filesize
64KB

Download
memory/4700-32-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/4700-10-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/4700-9-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download

Analysis

Sharing