xmrig | 29c33b2686d2d38ae07e767faf3cd04a7482f5b37bea48bba7b5d9ff17453f86 | Triage

Submit
Reports

Overview

overview

Static

static

INJECTOR/Injector.exe

windows7-x64

INJECTOR/Injector.exe

windows10-2004-x64

Sharing

General

Target

INJECTOR.rar
Size

17.1MB
Sample

220926-xdg6mabgb8
MD5

f8b932ef51943ca2bc2b35cc7e6bfaad
SHA1

5b6217def68d22cb6c6338d09313f37953c5eb7b
SHA256

29c33b2686d2d38ae07e767faf3cd04a7482f5b37bea48bba7b5d9ff17453f86
SHA512

8ffae5c558912d0c998f54ce6c1d807596ad37e27c87f9cc66f071e5da393797c642c4546204dfafa40c44376c97bb3a11029bc61f8b252c1afa69fed817f59f
SSDEEP

393216:II9hhFD281QFB41PBvimrYhyjwfXbxNDRBtTAwE6:Nh9GFwZiIYlfXbjZf

Score

10^/10

xmrig evasion miner spyware stealer upx

Static task

static1

Behavioral task

behavioral1

Sample

INJECTOR/Injector.exe

Resource

win7-20220812-en

spyware stealer

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

INJECTOR/Injector.exe

Resource

win10v2004-20220812-en

xmrig evasion miner spyware stealer upx

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Targets

- Target
  
  INJECTOR/Injector.exe
- Size
  
  681.1MB
- MD5
  
  f57c9332808a063901254cd41eef7613
- SHA1
  
  67df58792e9a9d3c3d00e39753873fcf6ef2ae5f
- SHA256
  
  2b50d8d9acaab4c8679d87d37dda1e97464e3bdbb00c942277c58d7532098a50
- SHA512
  
  e032ca3899a93170f8a3e2d4be32deb66f21c5de02fc9f453bfd3709c0f54ff5eb75db58777ca1565dd57632b7c125de776b69737e8554761e1e15fd3b98e0eb
- SSDEEP
  
  393216:zKAhcUJ09+imj7+mmFygBWbln6eqOBZC517HNohLBn5Iv/vQ:2O090j7nmFVWhn/qOB8JiaQ
Score

10^/10

spyware stealer xmrig evasion miner upx
- Modifies security service
  evasion
- Suspicious use of NtCreateUserProcessOtherParentProcess
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Drops file in Drivers directory
- Executes dropped EXE
- Stops running service(s)
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Impair Defenses

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Service Stop

Tasks

static1

behavioral1

behavioral2

xmrigevasionminerspywarestealerupx

© 2018-2024

Terms | Privacy