xmrig | 25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7

General

Target

be582c09e0366fe632e8608a5d6f562e.exe
Size

8.9MB
MD5

be582c09e0366fe632e8608a5d6f562e
SHA1

9a71a33e87bae9a612acdbc3c149bd587370cea9
SHA256

25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7
SHA512

a9fd645d812f09363aa2eb8e6515a352c6749a6155a7dc697c73271f0f39c7db820c9299dce70859b38532b07a7ea34a50c5c3dbaaf8cfc26f83470939f5074e

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1608-145-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral2/memory/1608-146-0x0000000140310068-mapping.dmp	xmrig
behavioral2/memory/1608-148-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

Processes:

NvcDispCore.exesihost64.exe

pid process

2508 NvcDispCore.exe
1344 sihost64.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

be582c09e0366fe632e8608a5d6f562e.exeNvcDispCore.exe

pid process

3576 be582c09e0366fe632e8608a5d6f562e.exe
2508 NvcDispCore.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

NvcDispCore.exe

description pid process target process

PID 2508 set thread context of 1608 2508 NvcDispCore.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3664 schtasks.exe

pid	process
2508	NvcDispCore.exe
1344	sihost64.exe

description	pid	process	target process
PID 2508 set thread context of 1608	2508	NvcDispCore.exe	svchost.exe

pid	process
3664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

be582c09e0366fe632e8608a5d6f562e.exeNvcDispCore.exesvchost.exe

pid	process
3576	be582c09e0366fe632e8608a5d6f562e.exe
3576	be582c09e0366fe632e8608a5d6f562e.exe
3576	be582c09e0366fe632e8608a5d6f562e.exe
2508	NvcDispCore.exe
2508	NvcDispCore.exe
2508	NvcDispCore.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe
1608	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

be582c09e0366fe632e8608a5d6f562e.exeNvcDispCore.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3576	be582c09e0366fe632e8608a5d6f562e.exe
Token: SeDebugPrivilege	2508	NvcDispCore.exe
Token: SeLockMemoryPrivilege	1608	svchost.exe
Token: SeLockMemoryPrivilege	1608	svchost.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

be582c09e0366fe632e8608a5d6f562e.execmd.execmd.exeNvcDispCore.exe

description	pid	process	target process
PID 3576 wrote to memory of 3128	3576	be582c09e0366fe632e8608a5d6f562e.exe	cmd.exe
PID 3576 wrote to memory of 3128	3576	be582c09e0366fe632e8608a5d6f562e.exe	cmd.exe
PID 3128 wrote to memory of 3664	3128	cmd.exe	schtasks.exe
PID 3128 wrote to memory of 3664	3128	cmd.exe	schtasks.exe
PID 3576 wrote to memory of 4604	3576	be582c09e0366fe632e8608a5d6f562e.exe	cmd.exe
PID 3576 wrote to memory of 4604	3576	be582c09e0366fe632e8608a5d6f562e.exe	cmd.exe
PID 4604 wrote to memory of 2508	4604	cmd.exe	NvcDispCore.exe
PID 4604 wrote to memory of 2508	4604	cmd.exe	NvcDispCore.exe
PID 2508 wrote to memory of 1344	2508	NvcDispCore.exe	sihost64.exe
PID 2508 wrote to memory of 1344	2508	NvcDispCore.exe	sihost64.exe
PID 2508 wrote to memory of 1608	2508	NvcDispCore.exe	svchost.exe
PID 2508 wrote to memory of 1608	2508	NvcDispCore.exe	svchost.exe
PID 2508 wrote to memory of 1608	2508	NvcDispCore.exe	svchost.exe
PID 2508 wrote to memory of 1608	2508	NvcDispCore.exe	svchost.exe
PID 2508 wrote to memory of 1608	2508	NvcDispCore.exe	svchost.exe
PID 2508 wrote to memory of 1608	2508	NvcDispCore.exe	svchost.exe
PID 2508 wrote to memory of 1608	2508	NvcDispCore.exe	svchost.exe
PID 2508 wrote to memory of 1608	2508	NvcDispCore.exe	svchost.exe
PID 2508 wrote to memory of 1608	2508	NvcDispCore.exe	svchost.exe
PID 2508 wrote to memory of 1608	2508	NvcDispCore.exe	svchost.exe
PID 2508 wrote to memory of 1608	2508	NvcDispCore.exe	svchost.exe
PID 2508 wrote to memory of 1608	2508	NvcDispCore.exe	svchost.exe
PID 2508 wrote to memory of 1608	2508	NvcDispCore.exe	svchost.exe
PID 2508 wrote to memory of 1608	2508	NvcDispCore.exe	svchost.exe
PID 2508 wrote to memory of 1608	2508	NvcDispCore.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\be582c09e0366fe632e8608a5d6f562e.exe
"C:\Users\Admin\AppData\Local\Temp\be582c09e0366fe632e8608a5d6f562e.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "NvcDispCore" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "NvcDispCore" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe"
3⤵
- Creates scheduled task(s)
PID:3664

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4604

C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe
C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
4⤵
- Executes dropped EXE
PID:1344

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe boikkedyfhfngu0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJQKdDfd51MUAGcZ+8CiY/eWLlgevDJQNJNphk49DJ6FdVIyvPtVTvQRFVcAxXw/Gq0V+XWFNEvMwDJNClhXLRUhg4HOd5Vw5wGJV9O2w/YW9hKei0wFR3PJm5h6TRmZtvcZXAMNqYVfAn+gor+a6j3BUNCzQU+Nl5ZZOCpekJ75uKpyfuXINvdi/lHPgOl+x9FeCj4JbAhf/cMV3hidKaKceVP0M9KcmMWgapPHuqY3XOC0QJFfCsXgfmNJeoVSgEFcsORGCVXZlokEm+vbKv6NTCLNN22Q3s20NBp+zb5Q6OpTuYTUj0t9JmVN9eM+m/7r/tmE6CrDQbztcR1Xq/333vpYGcUDwERGyRYtYyNNpz2UvHLnFL9SnTr2PyNBgeUBw0IizbxQseQmOxnRmm4A
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe
MD5
be582c09e0366fe632e8608a5d6f562e

SHA1
9a71a33e87bae9a612acdbc3c149bd587370cea9

SHA256
25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7

SHA512
a9fd645d812f09363aa2eb8e6515a352c6749a6155a7dc697c73271f0f39c7db820c9299dce70859b38532b07a7ea34a50c5c3dbaaf8cfc26f83470939f5074e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\NvcDispCore.exe
MD5
be582c09e0366fe632e8608a5d6f562e

SHA1
9a71a33e87bae9a612acdbc3c149bd587370cea9

SHA256
25d7abfa8b1175a98ad3f64ebdd5a01904ed73f739571eb39fde09a48d0ff8a7

SHA512
a9fd645d812f09363aa2eb8e6515a352c6749a6155a7dc697c73271f0f39c7db820c9299dce70859b38532b07a7ea34a50c5c3dbaaf8cfc26f83470939f5074e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
d07170b788636b00c5160a24296cd8b3

SHA1
d39d7238233e21cde888295a34069f07689b2ec6

SHA256
09011b5dd881da303104480f6920a51b6c35d97e1ab7e436ebae2ffc399e23fd

SHA512
9cc9b6f05539942d810c0b827cff9343e828997ef1359312c2782275e6f3c1543fd681e48224768f7a179826bf143d4b1b21b3002e03c8e56763d39961b8f9a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
d07170b788636b00c5160a24296cd8b3

SHA1
d39d7238233e21cde888295a34069f07689b2ec6

SHA256
09011b5dd881da303104480f6920a51b6c35d97e1ab7e436ebae2ffc399e23fd

SHA512
9cc9b6f05539942d810c0b827cff9343e828997ef1359312c2782275e6f3c1543fd681e48224768f7a179826bf143d4b1b21b3002e03c8e56763d39961b8f9a4

Download Submit
memory/1344-139-0x0000000000000000-mapping.dmp

Download
memory/1608-151-0x0000023CB2A70000-0x0000023CB2A90000-memory.dmp

Filesize
128KB

Download
memory/1608-150-0x0000023CB10D0000-0x0000023CB10F0000-memory.dmp

Filesize
128KB

Download
memory/1608-149-0x0000023CB1090000-0x0000023CB10B0000-memory.dmp

Filesize
128KB

Download
memory/1608-148-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/1608-147-0x0000023CB1030000-0x0000023CB1050000-memory.dmp

Filesize
128KB

Download
memory/1608-146-0x0000000140310068-mapping.dmp

Download
memory/1608-145-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2508-134-0x0000000000400000-0x0000000001562000-memory.dmp

Filesize
17.4MB

Download
memory/2508-142-0x000000001CE30000-0x000000001CE32000-memory.dmp

Filesize
8KB

Download
memory/2508-131-0x0000000000000000-mapping.dmp

Download
memory/2508-144-0x000000001CE36000-0x000000001CE37000-memory.dmp

Filesize
4KB

Download
memory/2508-143-0x000000001CE33000-0x000000001CE35000-memory.dmp

Filesize
8KB

Download
memory/3128-128-0x0000000000000000-mapping.dmp

Download
memory/3576-126-0x000000001CFC3000-0x000000001CFC5000-memory.dmp

Filesize
8KB

Download
memory/3576-127-0x000000001CFC6000-0x000000001CFC7000-memory.dmp

Filesize
4KB

Download
memory/3576-118-0x0000000000400000-0x0000000001562000-memory.dmp

Filesize
17.4MB

Download
memory/3576-124-0x0000000003360000-0x0000000003766000-memory.dmp

Filesize
4.0MB

Download
memory/3576-125-0x000000001CFC0000-0x000000001CFC2000-memory.dmp

Filesize
8KB

Download
memory/3576-123-0x0000000001BB0000-0x0000000001BB1000-memory.dmp

Filesize
4KB

Download
memory/3576-121-0x000000001D3E0000-0x000000001D7E3000-memory.dmp

Filesize
4.0MB

Download
memory/3576-119-0x00007FFD51DD0000-0x00007FFD51DD2000-memory.dmp

Filesize
8KB

Download
memory/3664-129-0x0000000000000000-mapping.dmp

Download
memory/4604-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads