xmrig | d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

10.7MB
MD5

b091c4848287be6601d720997394d453
SHA1

9180e34175e1f4644d5fa63227d665b2be15c75b
SHA256

d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe
SHA512

a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a
SSDEEP

196608:oPnV1Bk/fRaGxUCBIORz5Z2YoZX0tMmp6tgq1D//XxdgPxwdT:oPKfR/UCBF+dZX0tMft/vxdgpG

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2536-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2536-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2536-38-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2536-39-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2536-40-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2536-41-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2536-42-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2536-43-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2536-46-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2536-50-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2536-51-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2536-52-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2536-53-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2536-54-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2536-69-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2536-70-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 3 IoCs

Processes:

dckuybanmlgp.exedckuybanmlgp.exe

pid process

464
2456 dckuybanmlgp.exe
2676 dckuybanmlgp.exe
Loads dropped DLL 1 IoCs

Processes:

pid process

464

pid	process
464
2456	dckuybanmlgp.exe
2676	dckuybanmlgp.exe

pid	process
464

Suspicious use of SetThreadContext 2 IoCs

Processes:

dckuybanmlgp.exe

description	pid	process	target process
PID 2456 set thread context of 2804	2456	dckuybanmlgp.exe	conhost.exe
PID 2456 set thread context of 2536	2456	dckuybanmlgp.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2600 sc.exe
2556 sc.exe
2080 sc.exe
2656 sc.exe

pid	process
2600	sc.exe
2556	sc.exe
2080	sc.exe
2656	sc.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

tmp.exedckuybanmlgp.execonhost.exedckuybanmlgp.exe

pid	process
2748	tmp.exe
2748	tmp.exe
2748	tmp.exe
2748	tmp.exe
2748	tmp.exe
2748	tmp.exe
2748	tmp.exe
2748	tmp.exe
2748	tmp.exe
2456	dckuybanmlgp.exe
2456	dckuybanmlgp.exe
2456	dckuybanmlgp.exe
2456	dckuybanmlgp.exe
2456	dckuybanmlgp.exe
2456	dckuybanmlgp.exe
2456	dckuybanmlgp.exe
2804	conhost.exe
2676	dckuybanmlgp.exe
2676	dckuybanmlgp.exe
2676	dckuybanmlgp.exe
2676	dckuybanmlgp.exe
2676	dckuybanmlgp.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	2584	powercfg.exe
Token: SeShutdownPrivilege	2876	powercfg.exe
Token: SeShutdownPrivilege	2416	powercfg.exe
Token: SeShutdownPrivilege	1616	powercfg.exe
Token: SeShutdownPrivilege	2780	powercfg.exe
Token: SeShutdownPrivilege	2956	powercfg.exe
Token: SeShutdownPrivilege	2344	powercfg.exe
Token: SeShutdownPrivilege	2784	powercfg.exe
Token: SeLockMemoryPrivilege	2536	svchost.exe
Token: SeShutdownPrivilege	2776	powercfg.exe
Token: SeShutdownPrivilege	1816	powercfg.exe
Token: SeShutdownPrivilege	920	powercfg.exe
Token: SeShutdownPrivilege	840	powercfg.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

dckuybanmlgp.exe

description	pid	process	target process
PID 2456 wrote to memory of 2804	2456	dckuybanmlgp.exe	conhost.exe
PID 2456 wrote to memory of 2804	2456	dckuybanmlgp.exe	conhost.exe
PID 2456 wrote to memory of 2804	2456	dckuybanmlgp.exe	conhost.exe
PID 2456 wrote to memory of 2804	2456	dckuybanmlgp.exe	conhost.exe
PID 2456 wrote to memory of 2804	2456	dckuybanmlgp.exe	conhost.exe
PID 2456 wrote to memory of 2804	2456	dckuybanmlgp.exe	conhost.exe
PID 2456 wrote to memory of 2804	2456	dckuybanmlgp.exe	conhost.exe
PID 2456 wrote to memory of 2804	2456	dckuybanmlgp.exe	conhost.exe
PID 2456 wrote to memory of 2804	2456	dckuybanmlgp.exe	conhost.exe
PID 2456 wrote to memory of 2536	2456	dckuybanmlgp.exe	svchost.exe
PID 2456 wrote to memory of 2536	2456	dckuybanmlgp.exe	svchost.exe
PID 2456 wrote to memory of 2536	2456	dckuybanmlgp.exe	svchost.exe
PID 2456 wrote to memory of 2536	2456	dckuybanmlgp.exe	svchost.exe
PID 2456 wrote to memory of 2536	2456	dckuybanmlgp.exe	svchost.exe
PID 2456 wrote to memory of 2536	2456	dckuybanmlgp.exe	svchost.exe
PID 2456 wrote to memory of 2536	2456	dckuybanmlgp.exe	svchost.exe
PID 2456 wrote to memory of 2536	2456	dckuybanmlgp.exe	svchost.exe
PID 2456 wrote to memory of 2536	2456	dckuybanmlgp.exe	svchost.exe
PID 2456 wrote to memory of 2536	2456	dckuybanmlgp.exe	svchost.exe
PID 2456 wrote to memory of 2536	2456	dckuybanmlgp.exe	svchost.exe
PID 2456 wrote to memory of 2536	2456	dckuybanmlgp.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2748

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OBGPQMHF"
2⤵
- Launches sc.exe
PID:2600

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
2⤵
- Launches sc.exe
PID:2556

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
2⤵
- Launches sc.exe
PID:2080

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OBGPQMHF"
2⤵
- Launches sc.exe
PID:2656

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2804

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
"C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2676

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
4.2MB

MD5
5f11e17dab6d3d8590b793846fb490bf

SHA1
286f4c3cb16af6b8c064aaec657c25c79cc98510

SHA256
71d6ce626de09f7118ddab4a1d818abbe398840a2841bd1b3b1c0465df6f1f30

SHA512
97e289d95ddb475b54cfbc5cd6b377c7b408be83c82e214e71efead4ae00db0777e30dbfc45ade2caab3c08d55435b3b6a6ae8ed1953ff64d273e5737b1e10a5

Download Submit
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
10.7MB

MD5
b091c4848287be6601d720997394d453

SHA1
9180e34175e1f4644d5fa63227d665b2be15c75b

SHA256
d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

SHA512
a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a

Download Submit
C:\Windows\TEMP\gdaawrhfdlcr.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
5.1MB

MD5
00868824e0478fdc3d9bac83d01c892b

SHA1
ec3d9de65313e255c1edcace3fec73966e8692f6

SHA256
baf7088dd6250b0e0e97482d51d41b56a07abaf170db380162de5cb5da71c60f

SHA512
26a6e066a3c8b055153bbe10005dabc53b4fb581536afea80c778c3f14f260e0d305af80d51ab3d624a478526345eb2d78a649699c1b5cb131613f0223dab0b8

Download Submit
\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
4.6MB

MD5
0c577103fc8c0ea85b678c28c30588ca

SHA1
54c2bdedf905ce944fddf2769c1929bc10a0ce88

SHA256
23c0498ea85ef4ec35bdc427a71a82021b87f9a3706e82482509b85e8cd14e64

SHA512
41767c774d2b76d8afb4b634bfd7c252ef3a77b8797f9f63dd9b24a90ec71df388e0c671344c2bf70e341d0158432c10485a567b69533a27b8afc58a174a429a

Download Submit
memory/2456-48-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2456-49-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/2456-26-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/2456-24-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2456-20-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2536-38-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2536-54-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2536-72-0x0000000000BB0000-0x0000000000BD0000-memory.dmp

Filesize
128KB

Download
memory/2536-71-0x0000000000BB0000-0x0000000000BD0000-memory.dmp

Filesize
128KB

Download
memory/2536-70-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2536-69-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2536-53-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2536-52-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2536-51-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2536-50-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2536-47-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/2536-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2536-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2536-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2536-46-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2536-39-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2536-40-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2536-41-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2536-42-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2536-43-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2676-58-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2676-68-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/2676-67-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2676-63-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/2676-62-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2748-3-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2748-5-0x0000000077D40000-0x0000000077D42000-memory.dmp

Filesize
8KB

Download
memory/2748-11-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/2748-12-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2748-8-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/2748-7-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2748-2-0x0000000077D40000-0x0000000077D42000-memory.dmp

Filesize
8KB

Download
memory/2748-0-0x0000000077D40000-0x0000000077D42000-memory.dmp

Filesize
8KB

Download
memory/2804-30-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2804-33-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2804-27-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2804-31-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2804-28-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2804-29-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download