xmrig | 2ba8c1354aca93d81429af2c1e139427473d1e7a494b609a307742c49426e7e1 | Triage

Submit
Reports

Overview

overview

Static

static

CHECKRA1N/...1N.exe

windows7-x64

CHECKRA1N/...1N.exe

windows10-2004-x64

Sharing

General

Target

CHECKRA1N.rar
Size

17.1MB
Sample

220926-xdklrabgb9
MD5

8aefa0524a8d9150db75eff22d4c7f25
SHA1

cc2aebd259e7b676a7dfd6a2850f93db1f2b439c
SHA256

2ba8c1354aca93d81429af2c1e139427473d1e7a494b609a307742c49426e7e1
SHA512

0fdaa41dbe99b214876b14dd1e8fcaba5a0d752a6f0c2eaa5fb3722d835d9abf41ddbc1602570287444285de6642d19f49e2f2e8f224afc3839920e3cb289801
SSDEEP

393216:0y99GQZ6dgfLBQCnaSE0bZ4kKwf1rzBVg4qgudQQm+jEA:0s9LZ6dgzBznaSEPdi/tzRA

Score

10^/10

xmrig evasion miner spyware stealer upx

Static task

static1

Behavioral task

behavioral1

Sample

CHECKRA1N/CHECKRA1N.exe

Resource

win7-20220901-en

spyware stealer

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

CHECKRA1N/CHECKRA1N.exe

Resource

win10v2004-20220812-en

xmrig evasion miner spyware stealer upx

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Targets

- Target
  
  CHECKRA1N/CHECKRA1N.exe
- Size
  
  681.1MB
- MD5
  
  f57c9332808a063901254cd41eef7613
- SHA1
  
  67df58792e9a9d3c3d00e39753873fcf6ef2ae5f
- SHA256
  
  2b50d8d9acaab4c8679d87d37dda1e97464e3bdbb00c942277c58d7532098a50
- SHA512
  
  e032ca3899a93170f8a3e2d4be32deb66f21c5de02fc9f453bfd3709c0f54ff5eb75db58777ca1565dd57632b7c125de776b69737e8554761e1e15fd3b98e0eb
- SSDEEP
  
  393216:zKAhcUJ09+imj7+mmFygBWbln6eqOBZC517HNohLBn5Iv/vQ:2O090j7nmFVWhn/qOB8JiaQ
Score

10^/10

spyware stealer xmrig evasion miner upx
- Modifies security service
  evasion
- Suspicious use of NtCreateUserProcessOtherParentProcess
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Drops file in Drivers directory
- Executes dropped EXE
- Stops running service(s)
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Impair Defenses

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Service Stop

Tasks

static1

behavioral1

behavioral2

xmrigevasionminerspywarestealerupx

© 2018-2024

Terms | Privacy