xmrig | 25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7

General

Target

be582c09e0366fe632e8608a5d6f562e.exe
Size

8.9MB
MD5

be582c09e0366fe632e8608a5d6f562e
SHA1

9a71a33e87bae9a612acdbc3c149bd587370cea9
SHA256

25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7
SHA512

a9fd645d812f09363aa2eb8e6515a352c6749a6155a7dc697c73271f0f39c7db820c9299dce70859b38532b07a7ea34a50c5c3dbaaf8cfc26f83470939f5074e

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 12 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/768-88-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/768-89-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/768-90-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/768-91-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/768-92-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/768-93-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/768-94-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/768-95-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/768-96-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/768-97-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/768-99-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/768-98-0x0000000140310068-mapping.dmp	xmrig

Executes dropped EXE 2 IoCs

Processes:

NvcDispCore.exesihost64.exe

pid process

1400 NvcDispCore.exe
536 sihost64.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exeNvcDispCore.exe

pid process

1172 cmd.exe
1172 cmd.exe
1400 NvcDispCore.exe
1400 NvcDispCore.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

be582c09e0366fe632e8608a5d6f562e.exeNvcDispCore.exe

pid process

776 be582c09e0366fe632e8608a5d6f562e.exe
1400 NvcDispCore.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

NvcDispCore.exe

description pid process target process

PID 1400 set thread context of 768 1400 NvcDispCore.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1108 schtasks.exe

pid	process
1400	NvcDispCore.exe
536	sihost64.exe

pid	process
1172	cmd.exe
1172	cmd.exe
1400	NvcDispCore.exe
1400	NvcDispCore.exe

description	pid	process	target process
PID 1400 set thread context of 768	1400	NvcDispCore.exe	svchost.exe

pid	process
1108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

be582c09e0366fe632e8608a5d6f562e.exeNvcDispCore.exesvchost.exe

pid	process
776	be582c09e0366fe632e8608a5d6f562e.exe
776	be582c09e0366fe632e8608a5d6f562e.exe
1400	NvcDispCore.exe
1400	NvcDispCore.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe
768	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

be582c09e0366fe632e8608a5d6f562e.exeNvcDispCore.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	776	be582c09e0366fe632e8608a5d6f562e.exe
Token: SeDebugPrivilege	1400	NvcDispCore.exe
Token: SeLockMemoryPrivilege	768	svchost.exe
Token: SeLockMemoryPrivilege	768	svchost.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

be582c09e0366fe632e8608a5d6f562e.execmd.execmd.exeNvcDispCore.exe

description	pid	process	target process
PID 776 wrote to memory of 1644	776	be582c09e0366fe632e8608a5d6f562e.exe	cmd.exe
PID 776 wrote to memory of 1644	776	be582c09e0366fe632e8608a5d6f562e.exe	cmd.exe
PID 776 wrote to memory of 1644	776	be582c09e0366fe632e8608a5d6f562e.exe	cmd.exe
PID 1644 wrote to memory of 1108	1644	cmd.exe	schtasks.exe
PID 1644 wrote to memory of 1108	1644	cmd.exe	schtasks.exe
PID 1644 wrote to memory of 1108	1644	cmd.exe	schtasks.exe
PID 776 wrote to memory of 1172	776	be582c09e0366fe632e8608a5d6f562e.exe	cmd.exe
PID 776 wrote to memory of 1172	776	be582c09e0366fe632e8608a5d6f562e.exe	cmd.exe
PID 776 wrote to memory of 1172	776	be582c09e0366fe632e8608a5d6f562e.exe	cmd.exe
PID 1172 wrote to memory of 1400	1172	cmd.exe	NvcDispCore.exe
PID 1172 wrote to memory of 1400	1172	cmd.exe	NvcDispCore.exe
PID 1172 wrote to memory of 1400	1172	cmd.exe	NvcDispCore.exe
PID 1400 wrote to memory of 536	1400	NvcDispCore.exe	sihost64.exe
PID 1400 wrote to memory of 536	1400	NvcDispCore.exe	sihost64.exe
PID 1400 wrote to memory of 536	1400	NvcDispCore.exe	sihost64.exe
PID 1400 wrote to memory of 768	1400	NvcDispCore.exe	svchost.exe
PID 1400 wrote to memory of 768	1400	NvcDispCore.exe	svchost.exe
PID 1400 wrote to memory of 768	1400	NvcDispCore.exe	svchost.exe
PID 1400 wrote to memory of 768	1400	NvcDispCore.exe	svchost.exe
PID 1400 wrote to memory of 768	1400	NvcDispCore.exe	svchost.exe
PID 1400 wrote to memory of 768	1400	NvcDispCore.exe	svchost.exe
PID 1400 wrote to memory of 768	1400	NvcDispCore.exe	svchost.exe
PID 1400 wrote to memory of 768	1400	NvcDispCore.exe	svchost.exe
PID 1400 wrote to memory of 768	1400	NvcDispCore.exe	svchost.exe
PID 1400 wrote to memory of 768	1400	NvcDispCore.exe	svchost.exe
PID 1400 wrote to memory of 768	1400	NvcDispCore.exe	svchost.exe
PID 1400 wrote to memory of 768	1400	NvcDispCore.exe	svchost.exe
PID 1400 wrote to memory of 768	1400	NvcDispCore.exe	svchost.exe
PID 1400 wrote to memory of 768	1400	NvcDispCore.exe	svchost.exe
PID 1400 wrote to memory of 768	1400	NvcDispCore.exe	svchost.exe
PID 1400 wrote to memory of 768	1400	NvcDispCore.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\be582c09e0366fe632e8608a5d6f562e.exe
"C:\Users\Admin\AppData\Local\Temp\be582c09e0366fe632e8608a5d6f562e.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "NvcDispCore" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "NvcDispCore" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe"
3⤵
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe
C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
4⤵
- Executes dropped EXE
PID:536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe boikkedyfhfngu0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJQKdDfd51MUAGcZ+8CiY/eWLlgevDJQNJNphk49DJ6FdVIyvPtVTvQRFVcAxXw/Gq0V+XWFNEvMwDJNClhXLRUhg4HOd5Vw5wGJV9O2w/YW9hKei0wFR3PJm5h6TRmZtvcZXAMNqYVfAn+gor+a6j3BUNCzQU+Nl5ZZOCpekJ75uKpyfuXINvdi/lHPgOl+x9FeCj4JbAhf/cMV3hidKaKceVP0M9KcmMWgapPHuqY3XOC0QJFfCsXgfmNJeoVSgEFcsORGCVXZlokEm+vbKv6NTCLNN22Q3s20NBp+zb5Q6OpTuYTUj0t9JmVN9eM+m/7r/tmE6CrDQbztcR1Xq/333vpYGcUDwERGyRYtYyNNpz2UvHLnFL9SnTr2PyNBgeUBw0IizbxQseQmOxnRmm4A
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe
MD5
be582c09e0366fe632e8608a5d6f562e

SHA1
9a71a33e87bae9a612acdbc3c149bd587370cea9

SHA256
25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7

SHA512
a9fd645d812f09363aa2eb8e6515a352c6749a6155a7dc697c73271f0f39c7db820c9299dce70859b38532b07a7ea34a50c5c3dbaaf8cfc26f83470939f5074e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe
MD5
be582c09e0366fe632e8608a5d6f562e

SHA1
9a71a33e87bae9a612acdbc3c149bd587370cea9

SHA256
25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7

SHA512
a9fd645d812f09363aa2eb8e6515a352c6749a6155a7dc697c73271f0f39c7db820c9299dce70859b38532b07a7ea34a50c5c3dbaaf8cfc26f83470939f5074e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
d07170b788636b00c5160a24296cd8b3

SHA1
d39d7238233e21cde888295a34069f07689b2ec6

SHA256
09011b5dd881da303104480f6920a51b6c35d97e1ab7e436ebae2ffc399e23fd

SHA512
9cc9b6f05539942d810c0b827cff9343e828997ef1359312c2782275e6f3c1543fd681e48224768f7a179826bf143d4b1b21b3002e03c8e56763d39961b8f9a4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe
MD5
be582c09e0366fe632e8608a5d6f562e

SHA1
9a71a33e87bae9a612acdbc3c149bd587370cea9

SHA256
25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7

SHA512
a9fd645d812f09363aa2eb8e6515a352c6749a6155a7dc697c73271f0f39c7db820c9299dce70859b38532b07a7ea34a50c5c3dbaaf8cfc26f83470939f5074e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe
MD5
be582c09e0366fe632e8608a5d6f562e

SHA1
9a71a33e87bae9a612acdbc3c149bd587370cea9

SHA256
25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7

SHA512
a9fd645d812f09363aa2eb8e6515a352c6749a6155a7dc697c73271f0f39c7db820c9299dce70859b38532b07a7ea34a50c5c3dbaaf8cfc26f83470939f5074e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
d07170b788636b00c5160a24296cd8b3

SHA1
d39d7238233e21cde888295a34069f07689b2ec6

SHA256
09011b5dd881da303104480f6920a51b6c35d97e1ab7e436ebae2ffc399e23fd

SHA512
9cc9b6f05539942d810c0b827cff9343e828997ef1359312c2782275e6f3c1543fd681e48224768f7a179826bf143d4b1b21b3002e03c8e56763d39961b8f9a4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
d07170b788636b00c5160a24296cd8b3

SHA1
d39d7238233e21cde888295a34069f07689b2ec6

SHA256
09011b5dd881da303104480f6920a51b6c35d97e1ab7e436ebae2ffc399e23fd

SHA512
9cc9b6f05539942d810c0b827cff9343e828997ef1359312c2782275e6f3c1543fd681e48224768f7a179826bf143d4b1b21b3002e03c8e56763d39961b8f9a4

Download Submit
memory/536-79-0x0000000000000000-mapping.dmp

Download
memory/768-90-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/768-93-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/768-102-0x0000000000190000-0x00000000001B0000-memory.dmp

Filesize
128KB

Download
memory/768-101-0x0000000000170000-0x0000000000190000-memory.dmp

Filesize
128KB

Download
memory/768-98-0x0000000140310068-mapping.dmp

Download
memory/768-100-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/768-99-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/768-97-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/768-96-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/768-95-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/768-94-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/768-92-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/768-91-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/768-89-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/768-88-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/768-87-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/768-86-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/768-85-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/776-59-0x000000001D590000-0x000000001D993000-memory.dmp

Filesize
4.0MB

Download
memory/776-55-0x0000000000400000-0x0000000001562000-memory.dmp

Filesize
17.4MB

Download
memory/776-61-0x000000001D002000-0x000000001D004000-memory.dmp

Filesize
8KB

Download
memory/776-63-0x000000001D006000-0x000000001D007000-memory.dmp

Filesize
4KB

Download
memory/776-62-0x000000001D004000-0x000000001D006000-memory.dmp

Filesize
8KB

Download
memory/776-57-0x0000000077080000-0x0000000077082000-memory.dmp

Filesize
8KB

Download
memory/776-58-0x0000000002DF0000-0x00000000031F6000-memory.dmp

Filesize
4.0MB

Download
memory/776-66-0x000000001D007000-0x000000001D008000-memory.dmp

Filesize
4KB

Download
memory/1108-65-0x0000000000000000-mapping.dmp

Download
memory/1172-67-0x0000000000000000-mapping.dmp

Download
memory/1400-81-0x000000001D1A2000-0x000000001D1A4000-memory.dmp

Filesize
8KB

Download
memory/1400-83-0x000000001D1A6000-0x000000001D1A7000-memory.dmp

Filesize
4KB

Download
memory/1400-73-0x0000000000400000-0x0000000001562000-memory.dmp

Filesize
17.4MB

Download
memory/1400-82-0x000000001D1A4000-0x000000001D1A6000-memory.dmp

Filesize
8KB

Download
memory/1400-71-0x0000000000000000-mapping.dmp

Download
memory/1400-84-0x000000001D1A7000-0x000000001D1A8000-memory.dmp

Filesize
4KB

Download
memory/1644-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads