xmrig | fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc

General

Target

fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc.exe
Size

8.9MB
MD5

15934d89ff0ce1f3bb0bea4e85a3cb22
SHA1

00935ef950752b6f2c708d0cf963d070a498e3cc
SHA256

fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc
SHA512

6383a3e66933518ec652090382473d566892af62009583c5a96e4a966382df30619d07ff965d390fbf1fb813a8e416754a5ca4c85b61f550d391dc57f182b900

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1528-145-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig
behavioral1/memory/1528-146-0x0000000140310068-mapping.dmp	xmrig
behavioral1/memory/1528-148-0x0000000140000000-0x0000000140787000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

Processes:

netnccim.exesihost64.exe

pid process

4424 netnccim.exe
1248 sihost64.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc.exenetnccim.exe

pid process

3768 fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc.exe
4424 netnccim.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

netnccim.exe

description pid process target process

PID 4424 set thread context of 1528 4424 netnccim.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3756 schtasks.exe

pid	process
4424	netnccim.exe
1248	sihost64.exe

description	pid	process	target process
PID 4424 set thread context of 1528	4424	netnccim.exe	svchost.exe

pid	process
3756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc.exenetnccim.exesvchost.exe

pid	process
3768	fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc.exe
3768	fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc.exe
3768	fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc.exe
4424	netnccim.exe
4424	netnccim.exe
4424	netnccim.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe
1528	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc.exenetnccim.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3768	fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc.exe
Token: SeDebugPrivilege	4424	netnccim.exe
Token: SeLockMemoryPrivilege	1528	svchost.exe
Token: SeLockMemoryPrivilege	1528	svchost.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc.execmd.execmd.exenetnccim.exesihost64.exe

description	pid	process	target process
PID 3768 wrote to memory of 3196	3768	fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc.exe	cmd.exe
PID 3768 wrote to memory of 3196	3768	fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc.exe	cmd.exe
PID 3196 wrote to memory of 3756	3196	cmd.exe	schtasks.exe
PID 3196 wrote to memory of 3756	3196	cmd.exe	schtasks.exe
PID 3768 wrote to memory of 3084	3768	fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc.exe	cmd.exe
PID 3768 wrote to memory of 3084	3768	fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc.exe	cmd.exe
PID 3084 wrote to memory of 4424	3084	cmd.exe	netnccim.exe
PID 3084 wrote to memory of 4424	3084	cmd.exe	netnccim.exe
PID 4424 wrote to memory of 1248	4424	netnccim.exe	sihost64.exe
PID 4424 wrote to memory of 1248	4424	netnccim.exe	sihost64.exe
PID 4424 wrote to memory of 1528	4424	netnccim.exe	svchost.exe
PID 4424 wrote to memory of 1528	4424	netnccim.exe	svchost.exe
PID 4424 wrote to memory of 1528	4424	netnccim.exe	svchost.exe
PID 4424 wrote to memory of 1528	4424	netnccim.exe	svchost.exe
PID 4424 wrote to memory of 1528	4424	netnccim.exe	svchost.exe
PID 4424 wrote to memory of 1528	4424	netnccim.exe	svchost.exe
PID 4424 wrote to memory of 1528	4424	netnccim.exe	svchost.exe
PID 4424 wrote to memory of 1528	4424	netnccim.exe	svchost.exe
PID 4424 wrote to memory of 1528	4424	netnccim.exe	svchost.exe
PID 4424 wrote to memory of 1528	4424	netnccim.exe	svchost.exe
PID 4424 wrote to memory of 1528	4424	netnccim.exe	svchost.exe
PID 4424 wrote to memory of 1528	4424	netnccim.exe	svchost.exe
PID 4424 wrote to memory of 1528	4424	netnccim.exe	svchost.exe
PID 4424 wrote to memory of 1528	4424	netnccim.exe	svchost.exe
PID 4424 wrote to memory of 1528	4424	netnccim.exe	svchost.exe
PID 1248 wrote to memory of 2416	1248	sihost64.exe	conhost.exe
PID 1248 wrote to memory of 2416	1248	sihost64.exe	conhost.exe
PID 1248 wrote to memory of 2416	1248	sihost64.exe	conhost.exe

C:\Users\Admin\AppData\Local\Temp\fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc.exe
"C:\Users\Admin\AppData\Local\Temp\fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "netnccim" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\netnccim.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "netnccim" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\netnccim.exe"
3⤵
- Creates scheduled task(s)
PID:3756

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\netnccim.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3084

C:\Users\Admin\AppData\Roaming\Microsoft\netnccim.exe
C:\Users\Admin\AppData\Roaming\Microsoft\netnccim.exe
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "xvqlwpjxfvhoymb"
5⤵
PID:2416

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe kmfnqjfuheyj0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRSWr9mZW0WjQ8Zp6uvmLE6u5mJa6blLxbhLUBAH2hxKYIV+zuRDwuUBi5OrPMu66gPyw7gxP8IX80VPq/BMGCIFBkTOMbCf3MJ/sPlS5VXAPrlcMOalvFyeIXHIDtUbqKV18Jhqwg+UxjGvyu2oNdg+qXlBfLMdPaOjIDO+J7ZkJNdBoU4eCf0R5k6cBO8/Mimmk9lMvLnq+gG3iENLugY8qxVC1HSOWjmuo3WXFnRjj1i7g/1uZfrD/5WY21Xh4kB+F9A5wJKZoDeVOS+aDg9+Y0c+p+ahbp/yNqj7HecVMJm8e26JZ5iRWwVTuqNlLy9mObCCHUkAmh6zRw1XJgG78fbLuAx0Vhwzfn4UxmZM5snsrNY7eU15qfGDbB3HA/dpeX6tHT6AcPhPJheqyMc
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
aa7077ce2e2a03ef3be7f6fdb9878c60

SHA1
03167c0bfad92694e3e929938ff03e0b0f99987a

SHA256
1fde4a0d5cd615c4118e86b9c4144c21476bc93c7b113b939b4b9716349abc09

SHA512
2f2d789fdfa9012115c89d5b930783ee7bcd237fa032b310730223f7f88981b8f78d31b4a17dce5c86a55f72061feb634ff6b0550c2aca7daf777843e4b48406

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
MD5
aa7077ce2e2a03ef3be7f6fdb9878c60

SHA1
03167c0bfad92694e3e929938ff03e0b0f99987a

SHA256
1fde4a0d5cd615c4118e86b9c4144c21476bc93c7b113b939b4b9716349abc09

SHA512
2f2d789fdfa9012115c89d5b930783ee7bcd237fa032b310730223f7f88981b8f78d31b4a17dce5c86a55f72061feb634ff6b0550c2aca7daf777843e4b48406

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\netnccim.exe
MD5
15934d89ff0ce1f3bb0bea4e85a3cb22

SHA1
00935ef950752b6f2c708d0cf963d070a498e3cc

SHA256
fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc

SHA512
6383a3e66933518ec652090382473d566892af62009583c5a96e4a966382df30619d07ff965d390fbf1fb813a8e416754a5ca4c85b61f550d391dc57f182b900

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\netnccim.exe
MD5
15934d89ff0ce1f3bb0bea4e85a3cb22

SHA1
00935ef950752b6f2c708d0cf963d070a498e3cc

SHA256
fbe7a93a4914059fd6696d6f146ec819d292ccf3eb6be2a00b573505aec21adc

SHA512
6383a3e66933518ec652090382473d566892af62009583c5a96e4a966382df30619d07ff965d390fbf1fb813a8e416754a5ca4c85b61f550d391dc57f182b900

Download Submit
memory/1248-139-0x0000000000000000-mapping.dmp

Download
memory/1528-162-0x00000262BB670000-0x00000262BB690000-memory.dmp

Filesize
128KB

Download
memory/1528-163-0x00000262BB690000-0x00000262BB6B0000-memory.dmp

Filesize
128KB

Download
memory/1528-149-0x00000262BB630000-0x00000262BB650000-memory.dmp

Filesize
128KB

Download
memory/1528-148-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/1528-147-0x00000262BB5E0000-0x00000262BB600000-memory.dmp

Filesize
128KB

Download
memory/1528-146-0x0000000140310068-mapping.dmp

Download
memory/1528-145-0x0000000140000000-0x0000000140787000-memory.dmp

Filesize
7.5MB

Download
memory/2416-160-0x0000017D3CBE3000-0x0000017D3CBE5000-memory.dmp

Filesize
8KB

Download
memory/2416-152-0x0000017D228C0000-0x0000017D228C2000-memory.dmp

Filesize
8KB

Download
memory/2416-154-0x0000017D229F0000-0x0000017D229F3000-memory.dmp

Filesize
12KB

Download
memory/2416-161-0x0000017D3CBE6000-0x0000017D3CBE7000-memory.dmp

Filesize
4KB

Download
memory/2416-157-0x0000017D228C0000-0x0000017D228C2000-memory.dmp

Filesize
8KB

Download
memory/2416-159-0x0000017D3CBE0000-0x0000017D3CBE2000-memory.dmp

Filesize
8KB

Download
memory/2416-153-0x0000017D228C0000-0x0000017D228C2000-memory.dmp

Filesize
8KB

Download
memory/2416-156-0x0000017D228C0000-0x0000017D228C2000-memory.dmp

Filesize
8KB

Download
memory/2416-151-0x0000017D228C0000-0x0000017D228C2000-memory.dmp

Filesize
8KB

Download
memory/2416-158-0x0000017D22730000-0x0000017D22736000-memory.dmp

Filesize
24KB

Download
memory/2416-150-0x0000017D228C0000-0x0000017D228C2000-memory.dmp

Filesize
8KB

Download
memory/3084-130-0x0000000000000000-mapping.dmp

Download
memory/3196-124-0x0000000000000000-mapping.dmp

Download
memory/3756-125-0x0000000000000000-mapping.dmp

Download
memory/3768-129-0x0000000001686000-0x0000000001687000-memory.dmp

Filesize
4KB

Download
memory/3768-118-0x0000000000400000-0x0000000001567000-memory.dmp

Filesize
17.4MB

Download
memory/3768-128-0x0000000001683000-0x0000000001685000-memory.dmp

Filesize
8KB

Download
memory/3768-126-0x0000000003360000-0x0000000003766000-memory.dmp

Filesize
4.0MB

Download
memory/3768-127-0x0000000001680000-0x0000000001682000-memory.dmp

Filesize
8KB

Download
memory/3768-123-0x00000000016D0000-0x00000000016D1000-memory.dmp

Filesize
4KB

Download
memory/3768-121-0x000000001D120000-0x000000001D522000-memory.dmp

Filesize
4.0MB

Download
memory/3768-120-0x00007FF9F62F0000-0x00007FF9F62F2000-memory.dmp

Filesize
8KB

Download
memory/4424-144-0x000000001CF26000-0x000000001CF27000-memory.dmp

Filesize
4KB

Download
memory/4424-142-0x000000001CF20000-0x000000001CF22000-memory.dmp

Filesize
8KB

Download
memory/4424-143-0x000000001CF23000-0x000000001CF25000-memory.dmp

Filesize
8KB

Download
memory/4424-134-0x0000000000400000-0x0000000001567000-memory.dmp

Filesize
17.4MB

Download
memory/4424-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads