2019/09/14 RIG EK -> loader -> XMRig

1. https://app.any.run/tasks/3f42a192-22d1-4ba8-bb21-c98a7117d347
2.  
3. Main object- "rad15B77.tmp.exe"
4. md5 0798589868c7a26d554754889744ea36
5. Dropped executable file
6. sha256 C:\Users\admin\AppData\Local\Temp\jymcsl80.dll af7c6d52cf032cba6da78958c99af87b8752061a101ab9ecb06d2f559d0135e1
7. sha256 C:\Windows\Installer\MSI94E7.tmp e0110887dfc189610333f5a5f8a247e4ecebfc278d50e05a003a1b57f49c9106
8. sha256 C:\Windows\Installer\MSI9FF4.tmp fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889
9. sha256 C:\RECYCLER\date64\winupdate64.log e086465c3f3290e356053574d84521ed4cc4c845ac86b0e0b18f6b747437f2b8
10. sha256 C:\Windows\Installer\MSIE243.tmp 1f1d8c7cdae30a287db8dc0adffc1bdc086668b724a43dbcdf693d5a2bf10b23
11. sha256 C:\Windows\Installer\MSIE244.tmp 67fdafaf7c115fab48e50b3031f8b7f599770ca333321ded1dcb24db06fe6db1
12. sha256 C:\windows\system32\sens.dll e0eb8e80b51e45ca7eb061e705da0bc07878759418a8519ae6e12326fe79e7c7
13. sha256 C:\Windows\SysWOW64\MsE6E0D97CApp.dll a442a26818b452138a3093004560f13668baea5e61ff6fcdc6b631b726b58395
14. DNS requests
15. domain jeitacave.org
16. domain Pak.goifzy.com
17. Connections
18. ip 51.145.123.29
19. ip 104.28.18.126
20. ip 45.88.6.2
21. ip 114.114.114.114
22. HTTP/HTTPS requests
23. url http://jeitacave.org/ps002.jpg
24. url http://jeitacave.org/2U22nOJHFdDmYcgCS.jpg