xmrig | 25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7

General

Target

25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe
Size

8.9MB
MD5

be582c09e0366fe632e8608a5d6f562e
SHA1

9a71a33e87bae9a612acdbc3c149bd587370cea9
SHA256

25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7
SHA512

a9fd645d812f09363aa2eb8e6515a352c6749a6155a7dc697c73271f0f39c7db820c9299dce70859b38532b07a7ea34a50c5c3dbaaf8cfc26f83470939f5074e

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2320-145-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/2320-146-0x0000000140310068-mapping.dmp	xmrig
behavioral1/memory/2320-148-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

Processes:

NvcDispCore.exesihost64.exe

pid process

416 NvcDispCore.exe
2064 sihost64.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exeNvcDispCore.exe

pid process

4292 25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe
416 NvcDispCore.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

NvcDispCore.exe

description pid process target process

PID 416 set thread context of 2320 416 NvcDispCore.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

420 schtasks.exe

pid	process
416	NvcDispCore.exe
2064	sihost64.exe

description	pid	process	target process
PID 416 set thread context of 2320	416	NvcDispCore.exe	svchost.exe

pid	process
420	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exeNvcDispCore.exesvchost.exe

pid	process
4292	25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe
4292	25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe
4292	25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe
416	NvcDispCore.exe
416	NvcDispCore.exe
416	NvcDispCore.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe
2320	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exeNvcDispCore.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4292	25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe
Token: SeDebugPrivilege	416	NvcDispCore.exe
Token: SeLockMemoryPrivilege	2320	svchost.exe
Token: SeLockMemoryPrivilege	2320	svchost.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.execmd.execmd.exeNvcDispCore.exe

description	pid	process	target process
PID 4292 wrote to memory of 4388	4292	25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe	cmd.exe
PID 4292 wrote to memory of 4388	4292	25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe	cmd.exe
PID 4388 wrote to memory of 420	4388	cmd.exe	schtasks.exe
PID 4388 wrote to memory of 420	4388	cmd.exe	schtasks.exe
PID 4292 wrote to memory of 640	4292	25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe	cmd.exe
PID 4292 wrote to memory of 640	4292	25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe	cmd.exe
PID 640 wrote to memory of 416	640	cmd.exe	NvcDispCore.exe
PID 640 wrote to memory of 416	640	cmd.exe	NvcDispCore.exe
PID 416 wrote to memory of 2064	416	NvcDispCore.exe	sihost64.exe
PID 416 wrote to memory of 2064	416	NvcDispCore.exe	sihost64.exe
PID 416 wrote to memory of 2320	416	NvcDispCore.exe	svchost.exe
PID 416 wrote to memory of 2320	416	NvcDispCore.exe	svchost.exe
PID 416 wrote to memory of 2320	416	NvcDispCore.exe	svchost.exe
PID 416 wrote to memory of 2320	416	NvcDispCore.exe	svchost.exe
PID 416 wrote to memory of 2320	416	NvcDispCore.exe	svchost.exe
PID 416 wrote to memory of 2320	416	NvcDispCore.exe	svchost.exe
PID 416 wrote to memory of 2320	416	NvcDispCore.exe	svchost.exe
PID 416 wrote to memory of 2320	416	NvcDispCore.exe	svchost.exe
PID 416 wrote to memory of 2320	416	NvcDispCore.exe	svchost.exe
PID 416 wrote to memory of 2320	416	NvcDispCore.exe	svchost.exe
PID 416 wrote to memory of 2320	416	NvcDispCore.exe	svchost.exe
PID 416 wrote to memory of 2320	416	NvcDispCore.exe	svchost.exe
PID 416 wrote to memory of 2320	416	NvcDispCore.exe	svchost.exe
PID 416 wrote to memory of 2320	416	NvcDispCore.exe	svchost.exe
PID 416 wrote to memory of 2320	416	NvcDispCore.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe
"C:\Users\Admin\AppData\Local\Temp\25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "NvcDispCore" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "NvcDispCore" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe"
3⤵
- Creates scheduled task(s)
PID:420

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe
C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:416

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
4⤵
- Executes dropped EXE
PID:2064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe boikkedyfhfngu0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJQKdDfd51MUAGcZ+8CiY/eWLlgevDJQNJNphk49DJ6FdVIyvPtVTvQRFVcAxXw/Gq0V+XWFNEvMwDJNClhXLRUhg4HOd5Vw5wGJV9O2w/YW9hKei0wFR3PJm5h6TRmZtvcZXAMNqYVfAn+gor+a6j3BUNCzQU+Nl5ZZOCpekJ75uKpyfuXINvdi/lHPgOl+x9FeCj4JbAhf/cMV3hidKaKceVP0M9KcmMWgapPHuqY3XOC0QJFfCsXgfmNJeoVSgEFcsORGCVXZlokEm+vbKv6NTCLNN22Q3s20NBp+zb5Q6OpTuYTUj0t9JmVN9eM+m/7r/tmE6CrDQbztcR1Xq/333vpYGcUDwERGyRYtYyNNpz2UvHLnFL9SnTr2PyNBgeUBw0IizbxQseQmOxnRmm4A
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe
MD5
be582c09e0366fe632e8608a5d6f562e

SHA1
9a71a33e87bae9a612acdbc3c149bd587370cea9

SHA256
25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7

SHA512
a9fd645d812f09363aa2eb8e6515a352c6749a6155a7dc697c73271f0f39c7db820c9299dce70859b38532b07a7ea34a50c5c3dbaaf8cfc26f83470939f5074e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe
MD5
be582c09e0366fe632e8608a5d6f562e

SHA1
9a71a33e87bae9a612acdbc3c149bd587370cea9

SHA256
25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7

SHA512
a9fd645d812f09363aa2eb8e6515a352c6749a6155a7dc697c73271f0f39c7db820c9299dce70859b38532b07a7ea34a50c5c3dbaaf8cfc26f83470939f5074e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
d07170b788636b00c5160a24296cd8b3

SHA1
d39d7238233e21cde888295a34069f07689b2ec6

SHA256
09011b5dd881da303104480f6920a51b6c35d97e1ab7e436ebae2ffc399e23fd

SHA512
9cc9b6f05539942d810c0b827cff9343e828997ef1359312c2782275e6f3c1543fd681e48224768f7a179826bf143d4b1b21b3002e03c8e56763d39961b8f9a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
d07170b788636b00c5160a24296cd8b3

SHA1
d39d7238233e21cde888295a34069f07689b2ec6

SHA256
09011b5dd881da303104480f6920a51b6c35d97e1ab7e436ebae2ffc399e23fd

SHA512
9cc9b6f05539942d810c0b827cff9343e828997ef1359312c2782275e6f3c1543fd681e48224768f7a179826bf143d4b1b21b3002e03c8e56763d39961b8f9a4

Download Submit
memory/416-144-0x000000001CDB6000-0x000000001CDB7000-memory.dmp

Filesize
4KB

Download
memory/416-142-0x000000001CDB0000-0x000000001CDB2000-memory.dmp

Filesize
8KB

Download
memory/416-143-0x000000001CDB3000-0x000000001CDB5000-memory.dmp

Filesize
8KB

Download
memory/416-134-0x0000000000400000-0x0000000001562000-memory.dmp

Filesize
17.4MB

Download
memory/416-131-0x0000000000000000-mapping.dmp

Download
memory/420-127-0x0000000000000000-mapping.dmp

Download
memory/640-130-0x0000000000000000-mapping.dmp

Download
memory/2064-139-0x0000000000000000-mapping.dmp

Download
memory/2320-145-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2320-146-0x0000000140310068-mapping.dmp

Download
memory/2320-151-0x0000028490220000-0x0000028490240000-memory.dmp

Filesize
128KB

Download
memory/2320-150-0x0000028490240000-0x0000028490260000-memory.dmp

Filesize
128KB

Download
memory/2320-149-0x0000028490200000-0x0000028490220000-memory.dmp

Filesize
128KB

Download
memory/2320-148-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2320-147-0x00000284901B0000-0x00000284901D0000-memory.dmp

Filesize
128KB

Download
memory/4292-121-0x00000000032C0000-0x00000000036C6000-memory.dmp

Filesize
4.0MB

Download
memory/4292-120-0x00007FFBC5DA0000-0x00007FFBC5DA2000-memory.dmp

Filesize
8KB

Download
memory/4292-118-0x0000000000400000-0x0000000001562000-memory.dmp

Filesize
17.4MB

Download
memory/4292-129-0x00000000019C6000-0x00000000019C7000-memory.dmp

Filesize
4KB

Download
memory/4292-122-0x000000001D1D0000-0x000000001D5D3000-memory.dmp

Filesize
4.0MB

Download
memory/4292-124-0x00000000019D0000-0x00000000019D1000-memory.dmp

Filesize
4KB

Download
memory/4292-128-0x00000000019C3000-0x00000000019C5000-memory.dmp

Filesize
8KB

Download
memory/4292-126-0x00000000019C0000-0x00000000019C2000-memory.dmp

Filesize
8KB

Download
memory/4388-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads