xmrig | bedfc69962e5a357c3bf9aa5e410a2f5760f4c844974b4b8f785fd2848928580 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

7

RunnerSys_...ed.exe

windows10-1703-x64

Sharing

General

Target

RunnerSys_protected.exe
Size

17.2MB
Sample

240704-1zgzjatfpe
MD5

07621700c6af0996cf45a3d04eebf72d
SHA1

789dcf4d965009bad086a67a57ca1375b0a520e0
SHA256

bedfc69962e5a357c3bf9aa5e410a2f5760f4c844974b4b8f785fd2848928580
SHA512

506974d5449c4ed59863563aba1177a22be736c8e285bdc75d5444c5ca51d87a665af69fcc8672298615e90290bbd1cd90411fa448882823fe4258e5f25aabb4
SSDEEP

393216:ayP1V/VA/mtzqHYE9xPhQpuTASC0irB5AX0zPERIQTFRvYeDWzQaWKQ:xNhG/mtzg39x0SC0irDE0WzQeDyQjKQ

Score

10^/10

xmrig evasion miner persistence themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

RunnerSys_protected.exe

Resource

win10-20240404-en

xmrig evasion miner persistence themida trojan

windows10-1703-x64

18 signatures

60 seconds

Malware Config

Targets

- Target
  
  RunnerSys_protected.exe
- Size
  
  17.2MB
- MD5
  
  07621700c6af0996cf45a3d04eebf72d
- SHA1
  
  789dcf4d965009bad086a67a57ca1375b0a520e0
- SHA256
  
  bedfc69962e5a357c3bf9aa5e410a2f5760f4c844974b4b8f785fd2848928580
- SHA512
  
  506974d5449c4ed59863563aba1177a22be736c8e285bdc75d5444c5ca51d87a665af69fcc8672298615e90290bbd1cd90411fa448882823fe4258e5f25aabb4
- SSDEEP
  
  393216:ayP1V/VA/mtzqHYE9xPhQpuTASC0irB5AX0zPERIQTFRvYeDWzQaWKQ:xNhG/mtzg39x0SC0irDE0WzQeDyQjKQ
Score

10^/10

xmrig evasion miner persistence themida trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- XMRig Miner payload
  miner
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

xmrigevasionminerpersistencethemidatrojan

© 2018-2025

Terms | Privacy