Overview

overview

10

Static

static

3

nxmr.exe

windows7-x64

10

nxmr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-01-2025 15:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nxmr.exe

  • Size

    5.6MB

  • MD5

    13b26b2c7048a92d6a843c1302618fad

  • SHA1

    89c2dfc01ac12ef2704c7669844ec69f1700c1ca

  • SHA256

    1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

  • SHA512

    d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

  • SSDEEP

    98304:ZMknXV8IFUX81qQ6lLYhJ/N0TB4HBDxWcLKamiwPZhsSZLZ1wpxGN:ZBnXV86UiqrlLY/8AW6YZPZf6HGN

Score
10/10
xmrigexecutionminer

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 14 IoCs
    miner
  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3320
      • C:\Users\Admin\AppData\Local\Temp\nxmr.exe
        "C:\Users\Admin\AppData\Local\Temp\nxmr.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        PID:4676
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1808
      • C:\Windows\System32\schtasks.exe
        C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
        2⤵
          PID:3752
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:4340
        • C:\Windows\System32\conhost.exe
          C:\Windows\System32\conhost.exe
          2⤵
            PID:4356
          • C:\Windows\System32\dwm.exe
            C:\Windows\System32\dwm.exe
            2⤵
              PID:1288
          • C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
            "C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
            1⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3172

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            fee026663fcb662152188784794028ee

            SHA1

            3c02a26a9cb16648fad85c6477b68ced3cb0cb45

            SHA256

            dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b

            SHA512

            7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            2ac3c9ba89b8c2ef19c601ecebb82157

            SHA1

            a239a4b11438c00e5ff89ebd4a804ede6a01935b

            SHA256

            3c2714ce07f8c04b3f8222dfe50d8ae08f548b0e6e79fe33d08bf6f4c2e5143e

            SHA512

            b1221d29e747b37071761b2509e9109b522cce6411f73f27c9428ac332d26b9f413ae6b8c0aeac1afb7fab2d0b3b1c4af189da12fe506287596df2ef8f083432

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fgggwxzg.dz5.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
            Filesize

            5.6MB

            MD5

            13b26b2c7048a92d6a843c1302618fad

            SHA1

            89c2dfc01ac12ef2704c7669844ec69f1700c1ca

            SHA256

            1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

            SHA512

            d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

            Download Submit

          • memory/1288-53-0x00007FF732E20000-0x00007FF73360F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1288-47-0x00007FF732E20000-0x00007FF73360F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1288-55-0x00007FF732E20000-0x00007FF73360F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1288-51-0x00007FF732E20000-0x00007FF73360F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1288-67-0x00007FF732E20000-0x00007FF73360F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1288-49-0x00007FF732E20000-0x00007FF73360F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1288-57-0x00007FF732E20000-0x00007FF73360F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1288-43-0x00007FF732E20000-0x00007FF73360F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1288-45-0x00007FF732E20000-0x00007FF73360F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1288-65-0x00007FF732E20000-0x00007FF73360F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1288-63-0x00007FF732E20000-0x00007FF73360F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1288-59-0x00007FF732E20000-0x00007FF73360F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1288-41-0x00000246968B0000-0x00000246968D0000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1288-61-0x00007FF732E20000-0x00007FF73360F000-memory.dmp

            Filesize

            7.9MB

            Download

          • memory/1808-11-0x00007FF885D50000-0x00007FF886811000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1808-1-0x00000213FDE00000-0x00000213FDE22000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1808-13-0x00007FF885D50000-0x00007FF886811000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1808-12-0x00007FF885D50000-0x00007FF886811000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1808-17-0x00007FF885D50000-0x00007FF886811000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1808-0-0x00007FF885D53000-0x00007FF885D55000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1808-14-0x00007FF885D50000-0x00007FF886811000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3172-39-0x00007FF6EDF40000-0x00007FF6EE4D7000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4340-22-0x00007FF886080000-0x00007FF886B41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4340-35-0x00007FF886080000-0x00007FF886B41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4340-32-0x00007FF886080000-0x00007FF886B41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4356-44-0x00007FF648650000-0x00007FF648679000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4356-42-0x00007FF648650000-0x00007FF648679000-memory.dmp

            Filesize

            164KB

            Download

          • memory/4676-19-0x00007FF788040000-0x00007FF7885D7000-memory.dmp

            Filesize

            5.6MB

            Download