xmrig | 2aba29deec0bd0dc4d028360b9abdd30dc3b81b0e20bb40e3be7e5cb3240f76c

General

Target

RIMIX X!TRE.exe
Size

3.9MB
MD5

4b341683eae9ea9941df5fd7e60c7a09
SHA1

9318f92e924f54fdd856dac5839220af15cd8601
SHA256

0bffdd22b6c00bbe5da4a1cf4e84089cf8c50c7aa93993b652b2dedcd5d75237
SHA512

65805b2daade2b204c7b3316ea69c91feb6133c7bba70ccf36eba7abb83d087565e9bb450292afc83416dc04b66ee8ce26304cc46e37f480a081913e760683ef
SSDEEP

98304:fJs+xKkTwxRk+LkcddlstjcX9LqHpy96KZB:hxNwxiArlwjcX9L/6+

Score

10^/10

xmrig evasion execution miner persistence upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/996-46-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/996-48-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/996-47-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/996-45-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/996-43-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/996-42-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/996-49-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/996-50-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/996-51-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2564	powershell.exe
2356	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 4 IoCs

pid	Process
2532	LocalgfxopFWClF.exe
2520	LocalViacuSsaRz..exe
476	Process not Found
600	protection.exe

Loads dropped DLL 4 IoCs

pid	Process
2232	RIMIX X!TRE.exe
2232	RIMIX X!TRE.exe
2232	RIMIX X!TRE.exe
476	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
7	raw.githubusercontent.com
8	raw.githubusercontent.com
11	raw.githubusercontent.com
12	raw.githubusercontent.com
13	raw.githubusercontent.com
4	raw.githubusercontent.com
6	raw.githubusercontent.com
9	raw.githubusercontent.com
10	raw.githubusercontent.com
14	raw.githubusercontent.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	LocalgfxopFWClF.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	protection.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 600 set thread context of 1676	600	protection.exe	72
PID 600 set thread context of 996	600	protection.exe	73

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/996-41-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/996-39-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/996-38-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/996-37-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/996-46-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/996-48-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/996-47-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/996-45-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/996-43-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/996-42-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/996-40-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/996-49-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/996-50-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/996-51-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2660	sc.exe
1528	sc.exe
2024	sc.exe
2912	sc.exe
780	sc.exe
2016	sc.exe
2144	sc.exe
2884	sc.exe
3024	sc.exe
2684	sc.exe
2388	sc.exe
1816	sc.exe
2152	sc.exe
2604	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40085ade2356db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CTLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2532	LocalgfxopFWClF.exe
2564	powershell.exe
2532	LocalgfxopFWClF.exe
2532	LocalgfxopFWClF.exe
2532	LocalgfxopFWClF.exe
2532	LocalgfxopFWClF.exe
2532	LocalgfxopFWClF.exe
2532	LocalgfxopFWClF.exe
2532	LocalgfxopFWClF.exe
2532	LocalgfxopFWClF.exe
2532	LocalgfxopFWClF.exe
2532	LocalgfxopFWClF.exe
600	protection.exe
2356	powershell.exe
600	protection.exe
600	protection.exe
600	protection.exe
600	protection.exe
600	protection.exe
600	protection.exe
600	protection.exe
600	protection.exe
996	conhost.exe
996	conhost.exe
996	conhost.exe
996	conhost.exe
996	conhost.exe
996	conhost.exe
996	conhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeLockMemoryPrivilege	996	conhost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2532	2232	RIMIX X!TRE.exe	30
PID 2232 wrote to memory of 2532	2232	RIMIX X!TRE.exe	30
PID 2232 wrote to memory of 2532	2232	RIMIX X!TRE.exe	30
PID 2232 wrote to memory of 2520	2232	RIMIX X!TRE.exe	33
PID 2232 wrote to memory of 2520	2232	RIMIX X!TRE.exe	33
PID 2232 wrote to memory of 2520	2232	RIMIX X!TRE.exe	33
PID 2616 wrote to memory of 2644	2616	cmd.exe	40
PID 2616 wrote to memory of 2644	2616	cmd.exe	40
PID 2616 wrote to memory of 2644	2616	cmd.exe	40
PID 2112 wrote to memory of 1252	2112	cmd.exe	63
PID 2112 wrote to memory of 1252	2112	cmd.exe	63
PID 2112 wrote to memory of 1252	2112	cmd.exe	63
PID 600 wrote to memory of 1676	600	protection.exe	72
PID 600 wrote to memory of 1676	600	protection.exe	72
PID 600 wrote to memory of 1676	600	protection.exe	72
PID 600 wrote to memory of 1676	600	protection.exe	72
PID 600 wrote to memory of 1676	600	protection.exe	72
PID 600 wrote to memory of 1676	600	protection.exe	72
PID 600 wrote to memory of 1676	600	protection.exe	72
PID 600 wrote to memory of 1676	600	protection.exe	72
PID 600 wrote to memory of 1676	600	protection.exe	72
PID 600 wrote to memory of 996	600	protection.exe	73
PID 600 wrote to memory of 996	600	protection.exe	73
PID 600 wrote to memory of 996	600	protection.exe	73
PID 600 wrote to memory of 996	600	protection.exe	73
PID 600 wrote to memory of 996	600	protection.exe	73

C:\Users\Admin\AppData\Local\Temp\RIMIX X!TRE.exe
"C:\Users\Admin\AppData\Local\Temp\RIMIX X!TRE.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\LocalgfxopFWClF.exe
  "C:\Users\Admin\AppData\LocalgfxopFWClF.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2532
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2644
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2152
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2884
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2912
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2660
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2604
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "protection"
    3⤵
    - Launches sc.exe
    PID:2684
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "protection" binpath= "C:\ProgramData\protection\protection.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3024
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2388
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "protection"
    3⤵
    - Launches sc.exe
    PID:2016
- C:\Users\Admin\AppData\LocalViacuSsaRz..exe
  "C:\Users\Admin\AppData\LocalViacuSsaRz..exe"
  2⤵
  - Executes dropped EXE
  PID:2520

C:\ProgramData\protection\protection.exe
C:\ProgramData\protection\protection.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:600
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:1252
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2144
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:780
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1528
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2024
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1816
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1676
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

System Services

2

T1569

Service Execution

2

T1569.002

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalgfxopFWClF.exe

Filesize
2.5MB

MD5
89890a59994cce0767f2bdfe51ce9ab0

SHA1
a9a9fc05ca89e14cfdc3451d4d84f6e4c80a4986

SHA256
c772a1fcbeba78f41d1897a4e72159fca97a86814b4df8169470c3fc15461671

SHA512
b038dc5a129194a7cbe67cf403eb1a812d7f3b07d1d6c6db6afaf251096ec80940dacfc9e12117768cb8117d7a155c7f930750e9703dc7e68c8d88c43efe4ecd

Download Submit
\Users\Admin\AppData\LocalViacuSsaRz..exe

Filesize
1.3MB

MD5
278aa0adffa18666357a1afe6057fcc9

SHA1
b93d6bbed7231fdd74bf3352ff284cafa252f838

SHA256
4f4683b52eee3d4624d32d5ee3d74641a01d24d61f234fcfcbaaef834b8d35d4

SHA512
95420d5204f11ccf39079f7af83f3842190a829a5a7ef6c12f98c52686a892ef56d455c7c321dd48a0b6458dfc097d9a9cc5fd27019c5eb7f136abf366768f98

Download Submit
memory/996-47-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/996-42-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/996-41-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/996-39-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/996-50-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/996-49-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/996-40-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/996-37-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/996-38-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/996-45-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/996-48-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/996-46-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/996-44-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/996-51-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/996-43-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1676-32-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1676-35-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1676-29-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1676-30-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1676-31-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1676-28-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2232-0-0x000007FEF50B3000-0x000007FEF50B4000-memory.dmp

Filesize
4KB

Download
memory/2232-1-0x0000000000320000-0x0000000000706000-memory.dmp

Filesize
3.9MB

Download
memory/2356-26-0x0000000019D40000-0x000000001A022000-memory.dmp

Filesize
2.9MB

Download
memory/2356-27-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/2564-19-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2564-20-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing