Analysis
-
max time kernel
148s -
max time network
136s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
03-12-2021 23:04
Static task
static1
General
-
Target
25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe
-
Size
8.9MB
-
MD5
be582c09e0366fe632e8608a5d6f562e
-
SHA1
9a71a33e87bae9a612acdbc3c149bd587370cea9
-
SHA256
25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7
-
SHA512
a9fd645d812f09363aa2eb8e6515a352c6749a6155a7dc697c73271f0f39c7db820c9299dce70859b38532b07a7ea34a50c5c3dbaaf8cfc26f83470939f5074e
Malware Config
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2320-145-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/2320-146-0x0000000140310068-mapping.dmp xmrig behavioral1/memory/2320-148-0x0000000140000000-0x0000000140787000-memory.dmp xmrig -
Executes dropped EXE 2 IoCs
Processes:
NvcDispCore.exesihost64.exepid process 416 NvcDispCore.exe 2064 sihost64.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exeNvcDispCore.exepid process 4292 25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe 416 NvcDispCore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NvcDispCore.exedescription pid process target process PID 416 set thread context of 2320 416 NvcDispCore.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exeNvcDispCore.exesvchost.exepid process 4292 25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe 4292 25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe 4292 25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe 416 NvcDispCore.exe 416 NvcDispCore.exe 416 NvcDispCore.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exeNvcDispCore.exesvchost.exedescription pid process Token: SeDebugPrivilege 4292 25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe Token: SeDebugPrivilege 416 NvcDispCore.exe Token: SeLockMemoryPrivilege 2320 svchost.exe Token: SeLockMemoryPrivilege 2320 svchost.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.execmd.execmd.exeNvcDispCore.exedescription pid process target process PID 4292 wrote to memory of 4388 4292 25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe cmd.exe PID 4292 wrote to memory of 4388 4292 25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe cmd.exe PID 4388 wrote to memory of 420 4388 cmd.exe schtasks.exe PID 4388 wrote to memory of 420 4388 cmd.exe schtasks.exe PID 4292 wrote to memory of 640 4292 25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe cmd.exe PID 4292 wrote to memory of 640 4292 25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe cmd.exe PID 640 wrote to memory of 416 640 cmd.exe NvcDispCore.exe PID 640 wrote to memory of 416 640 cmd.exe NvcDispCore.exe PID 416 wrote to memory of 2064 416 NvcDispCore.exe sihost64.exe PID 416 wrote to memory of 2064 416 NvcDispCore.exe sihost64.exe PID 416 wrote to memory of 2320 416 NvcDispCore.exe svchost.exe PID 416 wrote to memory of 2320 416 NvcDispCore.exe svchost.exe PID 416 wrote to memory of 2320 416 NvcDispCore.exe svchost.exe PID 416 wrote to memory of 2320 416 NvcDispCore.exe svchost.exe PID 416 wrote to memory of 2320 416 NvcDispCore.exe svchost.exe PID 416 wrote to memory of 2320 416 NvcDispCore.exe svchost.exe PID 416 wrote to memory of 2320 416 NvcDispCore.exe svchost.exe PID 416 wrote to memory of 2320 416 NvcDispCore.exe svchost.exe PID 416 wrote to memory of 2320 416 NvcDispCore.exe svchost.exe PID 416 wrote to memory of 2320 416 NvcDispCore.exe svchost.exe PID 416 wrote to memory of 2320 416 NvcDispCore.exe svchost.exe PID 416 wrote to memory of 2320 416 NvcDispCore.exe svchost.exe PID 416 wrote to memory of 2320 416 NvcDispCore.exe svchost.exe PID 416 wrote to memory of 2320 416 NvcDispCore.exe svchost.exe PID 416 wrote to memory of 2320 416 NvcDispCore.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe"C:\Users\Admin\AppData\Local\Temp\25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "NvcDispCore" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "NvcDispCore" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exeC:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe boikkedyfhfngu0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJQKdDfd51MUAGcZ+8CiY/eWLlgevDJQNJNphk49DJ6FdVIyvPtVTvQRFVcAxXw/Gq0V+XWFNEvMwDJNClhXLRUhg4HOd5Vw5wGJV9O2w/YW9hKei0wFR3PJm5h6TRmZtvcZXAMNqYVfAn+gor+a6j3BUNCzQU+Nl5ZZOCpekJ75uKpyfuXINvdi/lHPgOl+x9FeCj4JbAhf/cMV3hidKaKceVP0M9KcmMWgapPHuqY3XOC0QJFfCsXgfmNJeoVSgEFcsORGCVXZlokEm+vbKv6NTCLNN22Q3s20NBp+zb5Q6OpTuYTUj0t9JmVN9eM+m/7r/tmE6CrDQbztcR1Xq/333vpYGcUDwERGyRYtYyNNpz2UvHLnFL9SnTr2PyNBgeUBw0IizbxQseQmOxnRmm4A4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exeMD5
be582c09e0366fe632e8608a5d6f562e
SHA19a71a33e87bae9a612acdbc3c149bd587370cea9
SHA25625d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7
SHA512a9fd645d812f09363aa2eb8e6515a352c6749a6155a7dc697c73271f0f39c7db820c9299dce70859b38532b07a7ea34a50c5c3dbaaf8cfc26f83470939f5074e
-
C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exeMD5
be582c09e0366fe632e8608a5d6f562e
SHA19a71a33e87bae9a612acdbc3c149bd587370cea9
SHA25625d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7
SHA512a9fd645d812f09363aa2eb8e6515a352c6749a6155a7dc697c73271f0f39c7db820c9299dce70859b38532b07a7ea34a50c5c3dbaaf8cfc26f83470939f5074e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
d07170b788636b00c5160a24296cd8b3
SHA1d39d7238233e21cde888295a34069f07689b2ec6
SHA25609011b5dd881da303104480f6920a51b6c35d97e1ab7e436ebae2ffc399e23fd
SHA5129cc9b6f05539942d810c0b827cff9343e828997ef1359312c2782275e6f3c1543fd681e48224768f7a179826bf143d4b1b21b3002e03c8e56763d39961b8f9a4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exeMD5
d07170b788636b00c5160a24296cd8b3
SHA1d39d7238233e21cde888295a34069f07689b2ec6
SHA25609011b5dd881da303104480f6920a51b6c35d97e1ab7e436ebae2ffc399e23fd
SHA5129cc9b6f05539942d810c0b827cff9343e828997ef1359312c2782275e6f3c1543fd681e48224768f7a179826bf143d4b1b21b3002e03c8e56763d39961b8f9a4
-
memory/416-144-0x000000001CDB6000-0x000000001CDB7000-memory.dmpFilesize
4KB
-
memory/416-142-0x000000001CDB0000-0x000000001CDB2000-memory.dmpFilesize
8KB
-
memory/416-143-0x000000001CDB3000-0x000000001CDB5000-memory.dmpFilesize
8KB
-
memory/416-134-0x0000000000400000-0x0000000001562000-memory.dmpFilesize
17.4MB
-
memory/416-131-0x0000000000000000-mapping.dmp
-
memory/420-127-0x0000000000000000-mapping.dmp
-
memory/640-130-0x0000000000000000-mapping.dmp
-
memory/2064-139-0x0000000000000000-mapping.dmp
-
memory/2320-145-0x0000000140000000-0x0000000140787000-memory.dmpFilesize
7.5MB
-
memory/2320-146-0x0000000140310068-mapping.dmp
-
memory/2320-151-0x0000028490220000-0x0000028490240000-memory.dmpFilesize
128KB
-
memory/2320-150-0x0000028490240000-0x0000028490260000-memory.dmpFilesize
128KB
-
memory/2320-149-0x0000028490200000-0x0000028490220000-memory.dmpFilesize
128KB
-
memory/2320-148-0x0000000140000000-0x0000000140787000-memory.dmpFilesize
7.5MB
-
memory/2320-147-0x00000284901B0000-0x00000284901D0000-memory.dmpFilesize
128KB
-
memory/4292-121-0x00000000032C0000-0x00000000036C6000-memory.dmpFilesize
4.0MB
-
memory/4292-120-0x00007FFBC5DA0000-0x00007FFBC5DA2000-memory.dmpFilesize
8KB
-
memory/4292-118-0x0000000000400000-0x0000000001562000-memory.dmpFilesize
17.4MB
-
memory/4292-129-0x00000000019C6000-0x00000000019C7000-memory.dmpFilesize
4KB
-
memory/4292-122-0x000000001D1D0000-0x000000001D5D3000-memory.dmpFilesize
4.0MB
-
memory/4292-124-0x00000000019D0000-0x00000000019D1000-memory.dmpFilesize
4KB
-
memory/4292-128-0x00000000019C3000-0x00000000019C5000-memory.dmpFilesize
8KB
-
memory/4292-126-0x00000000019C0000-0x00000000019C2000-memory.dmpFilesize
8KB
-
memory/4388-125-0x0000000000000000-mapping.dmp