xmrig | d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

General

Target

tmp.exe
Size

10.7MB
MD5

b091c4848287be6601d720997394d453
SHA1

9180e34175e1f4644d5fa63227d665b2be15c75b
SHA256

d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe
SHA512

a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a
SSDEEP

196608:oPnV1Bk/fRaGxUCBIORz5Z2YoZX0tMmp6tgq1D//XxdgPxwdT:oPKfR/UCBF+dZX0tMft/vxdgpG

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2176-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2176-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2176-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2176-38-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2176-39-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2176-41-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2176-42-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2176-40-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2176-44-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2176-48-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2176-49-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2176-52-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2176-50-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2176-51-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2176-54-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2176-53-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 2 IoCs

Processes:

dckuybanmlgp.exe

pid process

480
2776 dckuybanmlgp.exe
Loads dropped DLL 1 IoCs

Processes:

pid process

480

pid	process
480
2776	dckuybanmlgp.exe

pid	process
480

Suspicious use of SetThreadContext 2 IoCs

Processes:

dckuybanmlgp.exe

description	pid	process	target process
PID 2776 set thread context of 2496	2776	dckuybanmlgp.exe	conhost.exe
PID 2776 set thread context of 2176	2776	dckuybanmlgp.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2940 sc.exe
2680 sc.exe
2780 sc.exe
2660 sc.exe

pid	process
2940	sc.exe
2680	sc.exe
2780	sc.exe
2660	sc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

tmp.exedckuybanmlgp.exe

pid	process
3024	tmp.exe
3024	tmp.exe
3024	tmp.exe
3024	tmp.exe
3024	tmp.exe
3024	tmp.exe
3024	tmp.exe
3024	tmp.exe
3024	tmp.exe
2776	dckuybanmlgp.exe
2776	dckuybanmlgp.exe
2776	dckuybanmlgp.exe
2776	dckuybanmlgp.exe
2776	dckuybanmlgp.exe
2776	dckuybanmlgp.exe
2776	dckuybanmlgp.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeShutdownPrivilege	2900	powercfg.exe
Token: SeShutdownPrivilege	2860	powercfg.exe
Token: SeShutdownPrivilege	2764	powercfg.exe
Token: SeShutdownPrivilege	2016	powercfg.exe
Token: SeShutdownPrivilege	2484	powercfg.exe
Token: SeShutdownPrivilege	2488	powercfg.exe
Token: SeShutdownPrivilege	2432	powercfg.exe
Token: SeShutdownPrivilege	2476	powercfg.exe
Token: SeLockMemoryPrivilege	2176	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

dckuybanmlgp.exe

description	pid	process	target process
PID 2776 wrote to memory of 2496	2776	dckuybanmlgp.exe	conhost.exe
PID 2776 wrote to memory of 2496	2776	dckuybanmlgp.exe	conhost.exe
PID 2776 wrote to memory of 2496	2776	dckuybanmlgp.exe	conhost.exe
PID 2776 wrote to memory of 2496	2776	dckuybanmlgp.exe	conhost.exe
PID 2776 wrote to memory of 2496	2776	dckuybanmlgp.exe	conhost.exe
PID 2776 wrote to memory of 2496	2776	dckuybanmlgp.exe	conhost.exe
PID 2776 wrote to memory of 2496	2776	dckuybanmlgp.exe	conhost.exe
PID 2776 wrote to memory of 2496	2776	dckuybanmlgp.exe	conhost.exe
PID 2776 wrote to memory of 2496	2776	dckuybanmlgp.exe	conhost.exe
PID 2776 wrote to memory of 2176	2776	dckuybanmlgp.exe	svchost.exe
PID 2776 wrote to memory of 2176	2776	dckuybanmlgp.exe	svchost.exe
PID 2776 wrote to memory of 2176	2776	dckuybanmlgp.exe	svchost.exe
PID 2776 wrote to memory of 2176	2776	dckuybanmlgp.exe	svchost.exe
PID 2776 wrote to memory of 2176	2776	dckuybanmlgp.exe	svchost.exe
PID 2776 wrote to memory of 2176	2776	dckuybanmlgp.exe	svchost.exe
PID 2776 wrote to memory of 2176	2776	dckuybanmlgp.exe	svchost.exe
PID 2776 wrote to memory of 2176	2776	dckuybanmlgp.exe	svchost.exe
PID 2776 wrote to memory of 2176	2776	dckuybanmlgp.exe	svchost.exe
PID 2776 wrote to memory of 2176	2776	dckuybanmlgp.exe	svchost.exe
PID 2776 wrote to memory of 2176	2776	dckuybanmlgp.exe	svchost.exe
PID 2776 wrote to memory of 2176	2776	dckuybanmlgp.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3024

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OBGPQMHF"
2⤵
- Launches sc.exe
PID:2940

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
2⤵
- Launches sc.exe
PID:2680

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
2⤵
- Launches sc.exe
PID:2780

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OBGPQMHF"
2⤵
- Launches sc.exe
PID:2660

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2496

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
Filesize
5.2MB

MD5
d43f5f2a4cc476cd447a0b0ee715eb7d

SHA1
bf2ec9c88993f4faac5a677903d887f01a81583b

SHA256
e92a36df039736d6a7c0b6b157bef3e3cdabe81ae201d396fd4ef6828a73c961

SHA512
d215f7b6609e7edbeb8128ae1fee77fe54b49539c72ddad4b82d5296712d42e385bec39e353a056247e4403f2535302c4b2e5c8d58a39a5b7a678c906aa30a61

Download Submit
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
Filesize
5.4MB

MD5
9a4eadacc33f537e408b637ac09c3e81

SHA1
d68f8b01a2b0c7bbbdb1df4732590d53f3a18ceb

SHA256
a12478991316e416f78b6ad65aab7c44912b93209520993d2db96f841855b383

SHA512
52bea597a11c4b18988b9b87deaf3b6cad4b9fcf086f5e7c866e4815ea0180389ad7ae1ae8e6ee6ac3416e85856102505e133f2677b07717eeb45adfa2c45b1f

Download Submit
\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
Filesize
6.1MB

MD5
8d0b16a70ae75413ffad7d920baafb63

SHA1
3c3336ab87cc29bb9d6868dd8842da06fcd98fde

SHA256
83182c661ef5c8bafe9fb4d27f00e282704f07258c8fd78360d14b6361002663

SHA512
3f1b72d946fb6f152bf5e1483554716410eaad84aec88a38bf9915fe08b3776dc143add529a1bce9e55d80bc9fe69ccd1a6ccce59d0d009b9623294c17b6f6af

Download Submit
\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
Filesize
6.0MB

MD5
cf03795ba897f23b411f7a5325022c99

SHA1
53a88c5b5a6fe8263f7293830be24077cf00459a

SHA256
0d1e80b830d53f9312082c656615b1037cd983a3678fcee314aacca88d89c9d1

SHA512
a3a3671b71aae3df119e9b0bebd52b0be260c44344966035ef985170536673791efdcfad3958de0aec8a323381508fa3e117213fb4a83afa8883787a44b15edd

Download Submit
memory/2176-49-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2176-48-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2176-54-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2176-55-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/2176-53-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2176-56-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/2176-50-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2176-52-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2176-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2176-51-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2176-45-0x0000000000130000-0x0000000000150000-memory.dmp

Filesize
128KB

Download
memory/2176-44-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2176-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2176-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2176-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2176-38-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2176-39-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2176-41-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2176-42-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2176-40-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2496-28-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2496-27-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2496-32-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2496-30-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2496-26-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2496-29-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2776-24-0x0000000077C10000-0x0000000077DB9000-memory.dmp

Filesize
1.7MB

Download
memory/2776-47-0x0000000077C10000-0x0000000077DB9000-memory.dmp

Filesize
1.7MB

Download
memory/2776-46-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2776-22-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2776-19-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/3024-0-0x0000000077DC0000-0x0000000077DC2000-memory.dmp

Filesize
8KB

Download
memory/3024-15-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/3024-10-0x0000000077C10000-0x0000000077DB9000-memory.dmp

Filesize
1.7MB

Download
memory/3024-7-0x0000000077C10000-0x0000000077DB9000-memory.dmp

Filesize
1.7MB

Download
memory/3024-5-0x0000000077DC0000-0x0000000077DC2000-memory.dmp

Filesize
8KB

Download
memory/3024-4-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/3024-2-0x0000000077DC0000-0x0000000077DC2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads