xmrig | d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

General

Target

d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
Size

10.7MB
MD5

b091c4848287be6601d720997394d453
SHA1

9180e34175e1f4644d5fa63227d665b2be15c75b
SHA256

d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe
SHA512

a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a
SSDEEP

196608:oPnV1Bk/fRaGxUCBIORz5Z2YoZX0tMmp6tgq1D//XxdgPxwdT:oPKfR/UCBF+dZX0tMft/vxdgpG

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2856-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2856-23-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2856-25-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2856-24-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2856-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2856-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2856-28-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2856-26-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2856-30-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2856-33-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2856-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2856-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2856-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2856-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2856-41-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2856-42-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 1 IoCs

Processes:

dckuybanmlgp.exe

pid process

2160 dckuybanmlgp.exe

pid	process
2160	dckuybanmlgp.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

dckuybanmlgp.exe

description	pid	process	target process
PID 2160 set thread context of 404	2160	dckuybanmlgp.exe	conhost.exe
PID 2160 set thread context of 2856	2160	dckuybanmlgp.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3304 sc.exe
1596 sc.exe
1220 sc.exe
3632 sc.exe

pid	process
3304	sc.exe
1596	sc.exe
1220	sc.exe
3632	sc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exedckuybanmlgp.exe

pid	process
2748	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2748	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2748	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2748	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2748	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2748	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2748	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2748	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2748	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2748	d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
2160	dckuybanmlgp.exe
2160	dckuybanmlgp.exe
2160	dckuybanmlgp.exe
2160	dckuybanmlgp.exe
2160	dckuybanmlgp.exe
2160	dckuybanmlgp.exe
2160	dckuybanmlgp.exe
2160	dckuybanmlgp.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeShutdownPrivilege	2792	powercfg.exe
Token: SeCreatePagefilePrivilege	2792	powercfg.exe
Token: SeShutdownPrivilege	2176	powercfg.exe
Token: SeCreatePagefilePrivilege	2176	powercfg.exe
Token: SeShutdownPrivilege	1488	powercfg.exe
Token: SeCreatePagefilePrivilege	1488	powercfg.exe
Token: SeShutdownPrivilege	352	powercfg.exe
Token: SeCreatePagefilePrivilege	352	powercfg.exe
Token: SeShutdownPrivilege	4024	powercfg.exe
Token: SeCreatePagefilePrivilege	4024	powercfg.exe
Token: SeShutdownPrivilege	4200	powercfg.exe
Token: SeCreatePagefilePrivilege	4200	powercfg.exe
Token: SeShutdownPrivilege	4484	powercfg.exe
Token: SeCreatePagefilePrivilege	4484	powercfg.exe
Token: SeShutdownPrivilege	2184	powercfg.exe
Token: SeCreatePagefilePrivilege	2184	powercfg.exe
Token: SeLockMemoryPrivilege	2856	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

dckuybanmlgp.exe

description	pid	process	target process
PID 2160 wrote to memory of 404	2160	dckuybanmlgp.exe	conhost.exe
PID 2160 wrote to memory of 404	2160	dckuybanmlgp.exe	conhost.exe
PID 2160 wrote to memory of 404	2160	dckuybanmlgp.exe	conhost.exe
PID 2160 wrote to memory of 404	2160	dckuybanmlgp.exe	conhost.exe
PID 2160 wrote to memory of 404	2160	dckuybanmlgp.exe	conhost.exe
PID 2160 wrote to memory of 404	2160	dckuybanmlgp.exe	conhost.exe
PID 2160 wrote to memory of 404	2160	dckuybanmlgp.exe	conhost.exe
PID 2160 wrote to memory of 404	2160	dckuybanmlgp.exe	conhost.exe
PID 2160 wrote to memory of 404	2160	dckuybanmlgp.exe	conhost.exe
PID 2160 wrote to memory of 2856	2160	dckuybanmlgp.exe	svchost.exe
PID 2160 wrote to memory of 2856	2160	dckuybanmlgp.exe	svchost.exe
PID 2160 wrote to memory of 2856	2160	dckuybanmlgp.exe	svchost.exe
PID 2160 wrote to memory of 2856	2160	dckuybanmlgp.exe	svchost.exe
PID 2160 wrote to memory of 2856	2160	dckuybanmlgp.exe	svchost.exe
PID 2160 wrote to memory of 2856	2160	dckuybanmlgp.exe	svchost.exe
PID 2160 wrote to memory of 2856	2160	dckuybanmlgp.exe	svchost.exe
PID 2160 wrote to memory of 2856	2160	dckuybanmlgp.exe	svchost.exe
PID 2160 wrote to memory of 2856	2160	dckuybanmlgp.exe	svchost.exe
PID 2160 wrote to memory of 2856	2160	dckuybanmlgp.exe	svchost.exe
PID 2160 wrote to memory of 2856	2160	dckuybanmlgp.exe	svchost.exe
PID 2160 wrote to memory of 2856	2160	dckuybanmlgp.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe
"C:\Users\Admin\AppData\Local\Temp\d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2748
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:352
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "OBGPQMHF"
  2⤵
  - Launches sc.exe
  PID:3632
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:3304
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:1596
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "OBGPQMHF"
  2⤵
  - Launches sc.exe
  PID:1220

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4024
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4200
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4484
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:404
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
7.7MB

MD5
7e6b2debafd9032b3c9da27669b1a5be

SHA1
e4de6928ecfd7bb12e64d8f480584770753f6a14

SHA256
09a21dbc9d41eda7e9717e2be8ea76e7a4b832e1c37033fd1a200fb608a90708

SHA512
9524cb227a405d4e2a34b9e05917412398a267089fdf1119a42e2d65e1be948f61507d4b3b0ce8937021e3965b28372fd8d4bdf8da701d304804faacbb20b864

Download Submit
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe

Filesize
7.6MB

MD5
618631d986ee9ce2c0f6dda95eada402

SHA1
1eece029990fcede057a723239060e42e9c4f3c6

SHA256
17fd8c36d5a54a5cdbacea6efe71963575a93a31c87210564ce895a1a5894730

SHA512
eccbc8fde7dcaecc17f010f99c0d59af45ffded7cd2d7b391e332ebd06e5578b1f14fe969379fd20ee8e66ad762bf135f62b565e5934d9eaa07b029fd7d0be1e

Download Submit
memory/404-16-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/404-14-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/404-15-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/404-12-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/404-13-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/404-19-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2160-10-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2160-9-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2160-32-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2748-2-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2748-1-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2748-5-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2748-0-0x00007FFEF34E0000-0x00007FFEF34E2000-memory.dmp

Filesize
8KB

Download
memory/2856-28-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2856-25-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2856-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2856-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2856-26-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2856-30-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2856-33-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2856-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2856-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2856-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2856-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2856-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2856-31-0x000001ED40DD0000-0x000001ED40DF0000-memory.dmp

Filesize
128KB

Download
memory/2856-23-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2856-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2856-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2856-40-0x000001ED40E50000-0x000001ED40E70000-memory.dmp

Filesize
128KB

Download
memory/2856-41-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2856-43-0x000001ED40E90000-0x000001ED40EB0000-memory.dmp

Filesize
128KB

Download
memory/2856-42-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2856-44-0x000001ED40E90000-0x000001ED40EB0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads