Windows Analysis Report
NVIDIAWebHelper.exe

Overview

General Information

Sample name: NVIDIAWebHelper.exe
Analysis ID: 1579294
MD5: aede5b115882e8f128bc5dfed0afb87b
SHA1: 62e50003d787d1e125309e0d71b398245e310700
SHA256: 71cefea87e620a5fbef23fc1cebed9558646077b3a9d7af74f901a96c0520667
Tags: exeuser-aachum
Infos:

Detection

Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Tries to detect debuggers (CloseHandle check)
Tries to evade analysis by execution special instruction (VM detection)
Checks if the current process is being debugged
Entry point lies outside standard sections
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential time zone aware malware
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: NVIDIAWebHelper.exe Virustotal: Detection: 59% Perma Link
Source: NVIDIAWebHelper.exe ReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 97.9% probability
Machine Learning detection for sample
Source: NVIDIAWebHelper.exe Joe Sandbox ML: detected

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: 00000000.00000002.1879721744.00000213EB43C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1880188744.00007FF7896A0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NVIDIAWebHelper.exe PID: 5264, type: MEMORYSTR
Found strings related to Crypto-Mining
Source: NVIDIAWebHelper.exe, 00000000.00000002.1880188744.00007FF7896A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: stratum+tcp://
Source: NVIDIAWebHelper.exe, 00000000.00000002.1880188744.00007FF7896A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: cryptonight/0
Source: NVIDIAWebHelper.exe, 00000000.00000002.1880188744.00007FF7896A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: stratum+tcp://
Source: NVIDIAWebHelper.exe, 00000000.00000002.1880188744.00007FF7896A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: -o, --url=URL URL of mining server
Source: NVIDIAWebHelper.exe, 00000000.00000002.1880188744.00007FF7896A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Usage: xmrig [OPTIONS]
Source: NVIDIAWebHelper.exe, 00000000.00000002.1880188744.00007FF7896A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: XMRig 6.15.3
Source: NVIDIAWebHelper.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: NVIDIAWebHelper.exe, 00000000.00000002.1880188744.00007FF7896A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://xmrig.com/benchmark/%s
Source: NVIDIAWebHelper.exe, 00000000.00000002.1880188744.00007FF7896A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://xmrig.com/docs/algorithms
Source: NVIDIAWebHelper.exe, 00000000.00000002.1880188744.00007FF7896A0000.00000002.00000001.01000000.00000003.sdmp, NVIDIAWebHelper.exe, 00000000.00000002.1879721744.00000213EB469000.00000004.00000020.00020000.00000000.sdmp, NVIDIAWebHelper.exe, 00000000.00000002.1879721744.00000213EB43C000.00000004.00000020.00020000.00000000.sdmp, NVIDIAWebHelper.exe, 00000000.00000002.1879721744.00000213EB439000.00000004.00000020.00020000.00000000.sdmp, ConDrv.0.dr String found in binary or memory: https://xmrig.com/wizard
Source: NVIDIAWebHelper.exe, 00000000.00000002.1880188744.00007FF7896A0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://xmrig.com/wizard%s

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1880188744.00007FF7896A0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
Source: Process Memory Space: NVIDIAWebHelper.exe PID: 5264, type: MEMORYSTR Matched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
PE file contains more sections than normal
Source: NVIDIAWebHelper.exe Static PE information: Number of sections : 14 > 10
Sample file is different than original file name gathered from version info
Source: NVIDIAWebHelper.exe, 00000000.00000002.1883596810.00007FF78B491000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamenode.exe, vs NVIDIAWebHelper.exe
Source: NVIDIAWebHelper.exe Binary or memory string: OriginalFilenamenode.exe, vs NVIDIAWebHelper.exe
Yara signature match
Source: 00000000.00000002.1880188744.00007FF7896A0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: Process Memory Space: NVIDIAWebHelper.exe PID: 5264, type: MEMORYSTR Matched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
Source: classification engine Classification label: mal100.evad.mine.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5924:120:WilError_03
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: NVIDIAWebHelper.exe Virustotal: Detection: 59%
Source: NVIDIAWebHelper.exe ReversingLabs: Detection: 44%
Source: unknown Process created: C:\Users\user\Desktop\NVIDIAWebHelper.exe "C:\Users\user\Desktop\NVIDIAWebHelper.exe"
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: NVIDIAWebHelper.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: NVIDIAWebHelper.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: NVIDIAWebHelper.exe Static file information: File size 17680384 > 1048576
Source: NVIDIAWebHelper.exe Static PE information: Raw size of NVIDIAHE is bigger than: 0x100000 < 0x10b9800
Source: NVIDIAWebHelper.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: NVIDIAHE
PE file contains sections with non-standard names
Source: NVIDIAWebHelper.exe Static PE information: section name: _RANDOMX
Source: NVIDIAWebHelper.exe Static PE information: section name: _SHA3_25
Source: NVIDIAWebHelper.exe Static PE information: section name: _TEXT_CN
Source: NVIDIAWebHelper.exe Static PE information: section name: _TEXT_CN
Source: NVIDIAWebHelper.exe Static PE information: section name: _RDATA
Source: NVIDIAWebHelper.exe Static PE information: section name: NVIDIAHE
Source: NVIDIAWebHelper.exe Static PE information: section name: NVIDIAHE
Source: NVIDIAWebHelper.exe Static PE information: section name: NVIDIAHE

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Memory written: PID: 5264 base: 7FFE22370008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Memory written: PID: 5264 base: 7FFE2220D9F0 value: E9 20 26 16 00 Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Memory written: PID: 5264 base: 7FFE2238000D value: E9 BB CB EB FF Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Memory written: PID: 5264 base: 7FFE2223CBC0 value: E9 5A 34 14 00 Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Special instruction interceptor: First address: 7FF78AF7E9B8 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Special instruction interceptor: First address: 7FF78AF7E9C8 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Potential time zone aware malware
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect debuggers (CloseHandle check)
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Handle closed: DEADC0DE
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe Process queried: DebugPort Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtProtectVirtualMemory: Direct from: 0x7FF78AED2188 Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtQueryInformationProcess: Direct from: 0x7FF78A614166 Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtSetInformationThread: Direct from: 0x7FF78A632E24 Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtProtectVirtualMemory: Indirect: 0x7FF78A3B2159 Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtProtectVirtualMemory: Direct from: 0x7FF78AF53F71 Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtMapViewOfSection: Direct from: 0x7FF78A40A107 Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtQuerySystemInformation: Direct from: 0x7FF78AEFD202 Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtQueryInformationProcess: Direct from: 0x7FF78AEBE36B Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtQuerySystemInformation: Direct from: 0x7FF78AF5B85C Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtProtectVirtualMemory: Direct from: 0x7FF78AF723D9 Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtProtectVirtualMemory: Direct from: 0x7FF78AF6E941 Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtProtectVirtualMemory: Direct from: 0x7FF78AF6E9FC Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtQueryInformationProcess: Direct from: 0x7FF78A6C3F6D Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtProtectVirtualMemory: Direct from: 0x7FF78A5A7F02 Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtProtectVirtualMemory: Direct from: 0x7FF78AF506EE Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtQuerySystemInformation: Direct from: 0x7FF78A3C9A53 Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtProtectVirtualMemory: Direct from: 0x7FF78A3D6C17 Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtProtectVirtualMemory: Direct from: 0x7FF78AEFB32B Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtSetInformationThread: Direct from: 0x7FF78AF2F655 Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtClose: Direct from: 0x7FF78AF0EC31
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtProtectVirtualMemory: Direct from: 0x7FF78A5ECC5A Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtQuerySystemInformation: Direct from: 0x7FF78AF03B06 Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtProtectVirtualMemory: Direct from: 0x7FF78A5ECC7A Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtQuerySystemInformation: Direct from: 0x7FF78A5C31AF Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtOpenFile: Direct from: 0x7FF78A40C14A Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtUnmapViewOfSection: Direct from: 0x7FF78AEF7F74 Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtProtectVirtualMemory: Direct from: 0x7FF78A641D77 Jump to behavior
Source: C:\Users\user\Desktop\NVIDIAWebHelper.exe NtProtectVirtualMemory: Direct from: 0x7FF78AF4C5B4 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579294 Sample: NVIDIAWebHelper.exe Startdate: 21/12/2024 Architecture: WINDOWS Score: 100 11 Malicious sample detected (through community Yara rule) 2->11 13 Multi AV Scanner detection for submitted file 2->13 15 Yara detected Xmrig cryptocurrency miner 2->15 17 2 other signatures 2->17 6 NVIDIAWebHelper.exe 1 2->6         started        process3 signatures4 19 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 6->19 21 Query firmware table information (likely to detect VMs) 6->21 23 Found strings related to Crypto-Mining 6->23 25 4 other signatures 6->25 9 conhost.exe 6->9         started        process5
No contacted IP infos