Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

NVIDIAWebHelper.exe

PE32+ executable (console) x86-64, for MS Windows

initial sample

Details

Filetype:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	7.842343897415449
Filename:	NVIDIAWebHelper.exe
Filesize:	17680384
MD5:	aede5b115882e8f128bc5dfed0afb87b
SHA1:	62e50003d787d1e125309e0d71b398245e310700
SHA256:	71cefea87e620a5fbef23fc1cebed9558646077b3a9d7af74f901a96c0520667
SHA512:	0c51f1b096dce46ee890ca103ccaeb5aa849f2f31f2a876adf128bf961bacff7060ace533bbb5709da85bed11027967c3499389faa97daf7d108eead1126c275
SSDEEP:	196608:dSwhUq4hKQ+U84BVPeeMAIghZaViMNbJJOKH/rT9EZY+RAMO418g4nEd7d2Of37J:dT4V+0nNZaViMpzO4n+d54nEdB9NoC
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......a..........".......1...B.....V."........@.............................0.......[....`................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Found direct / indirect Syscall (likely to bypass EDR)	HIPS / PFW / Operating System Protection Evasion	Abuse Elevation Control Mechanism
Found strings related to Crypto-Mining	Bitcoin Miner
Hides threads from debuggers	Anti Debugging
Machine Learning detection for sample	AV Detection
Overwrites code with unconditional jumps - possibly settings hooks in foreign process	Hooking and other Techniques for Hiding and Protection	Credential API Hooking
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion Security Software Discovery
Tries to detect debuggers (CloseHandle check)	Anti Debugging
Tries to evade analysis by execution special instruction (VM detection)	Malware Analysis System Evasion
Checks if the current process is being debugged	Anti Debugging
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Potential time zone aware malware	Malware Analysis System Evasion	System Time Discovery
Sample file is different than original file name gathered from version info	System Summary
Queries a list of all running drivers	Malware Analysis System Evasion	System Information Discovery
Queries a list of all running processes	Malware Analysis System Evasion	Process Discovery
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

\Device\ConDrv

ASCII text, with CRLF, CR line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\NVIDIAWebHelper.exe
Type:	ASCII text, with CRLF, CR line terminators
Entropy:	5.125114409209716
Encrypted:	false
Ssdeep:	6:o9zjNCwvG25zZvajdnCwM5zZvaj2pCwZIFzZvajo6QIR/BJrXMnGTJzey:oVRtAttlKptZIWFRJJTMGgy
Size:	321
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\NVIDIAWebHelper.exe

"C:\Users\user\Desktop\NVIDIAWebHelper.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5264
Target ID:	0
Parent PID:	2580
Name:	NVIDIAWebHelper.exe
Path:	C:\Users\user\Desktop\NVIDIAWebHelper.exe
Commandline:	"C:\Users\user\Desktop\NVIDIAWebHelper.exe"
Size:	17680384
MD5:	AEDE5B115882E8F128BC5DFED0AFB87B
Time:	07:19:05
Date:	21/12/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff789380000
Modulesize:	34746368
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Xmrig cryptocurrency miner	Bitcoin Miner
Machine Learning detection for sample	AV Detection
PE file contains more sections than normal	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file has a big raw section	System Summary
PE file has a big code size	System Summary
PE file has a high image base, often used for DLLs	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	5924
Target ID:	1
Parent PID:	5264
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	07:19:06
Date:	21/12/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://xmrig.com/benchmark/%s

unknown

Details

Name:	https://xmrig.com/benchmark/%s
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\NVIDIAWebHelper.exe
Source:	NVIDIAWebHelper.exe, 00000000.00000002.1880188744.00007FF7896A0000.00000002.00000001.01000000.00000003.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://xmrig.com/wizard

unknown

Details

Name:	https://xmrig.com/wizard
TargetID:	-1
From Memory:	true
Source:	NVIDIAWebHelper.exe, 00000000.00000002.1880188744.00007FF7896A0000.00000002.00000001.01000000.00000003.sdmp, NVIDIAWebHelper.exe, 00000000.00000002.1879721744.00000213EB469000.00000004.00000020.00020000.00000000.sdmp, NVIDIAWebHelper.exe, 00000000.00000002.1879721744.00000213EB43C000.00000004.00000020.00020000.00000000.sdmp, NVIDIAWebHelper.exe, 00000000.00000002.1879721744.00000213EB439000.00000004.00000020.00020000.00000000.sdmp, ConDrv.0.dr
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://xmrig.com/wizard%s

unknown

Details

Name:	https://xmrig.com/wizard%s
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\NVIDIAWebHelper.exe
Source:	NVIDIAWebHelper.exe, 00000000.00000002.1880188744.00007FF7896A0000.00000002.00000001.01000000.00000003.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://xmrig.com/docs/algorithms

unknown

Details

Name:	https://xmrig.com/docs/algorithms
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\NVIDIAWebHelper.exe
Source:	NVIDIAWebHelper.exe, 00000000.00000002.1880188744.00007FF7896A0000.00000002.00000001.01000000.00000003.sdmp
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7FF7896A0000

unkown

page readonly

213EB43C000

heap

page read and write

7FF7897CE000

unkown

page read and write

213ECEC0000

heap

page read and write

7FF789A9D000

unkown

page execute read

7FF78B485000

unkown

page readonly

213EB3B0000

heap

page read and write

D4F4B5C000

stack

page read and write

7FF78B480000

unkown

page readonly

7FF78B491000

unkown

page readonly

7FF789380000

unkown

page readonly

7FF78B491000

unkown

page readonly

7FF789AD8000

unkown

page read and write

213EB469000

heap

page read and write

7FF78B480000

unkown

page readonly

7FF789AA3000

unkown

page readonly

7FF789380000

unkown

page readonly

D4F4EFF000

stack

page read and write

7FF78A3C6000

unkown

page execute read

7FF789381000

unkown

page execute read

213EB360000

heap

page read and write

7FF78ADC6000

unkown

page execute read

7FF78ADC6000

unkown

page execute read

213EB280000

heap

page read and write

7FF789AA4000

unkown

page execute read

213EB390000

heap

page read and write

213ECDE4000

heap

page read and write

7FF78A3C4000

unkown

page read and write

D4F4FFF000

stack

page read and write

7FF789A7D000

unkown

page read and write

213EB439000

heap

page read and write

213ECDE0000

heap

page read and write

7FF789ADE000

unkown

page execute read

7FF789A7E000

unkown

page readonly

213EB3D0000

direct allocation

page execute read

213EB430000

heap

page read and write

7FF78B485000

unkown

page readonly

7FF789A6A000

unkown

page read and write

213EB3D0000

trusted library allocation

page read and write

7FF78A3C6000

unkown

page execute read

213EB3D0000

trusted library allocation

page read and write

There are 31 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
NVIDIAWebHelper.exe

Files

Processes

URLs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportNVIDIAWebHelper.exe

Files

Processes

URLs

Memdumps

IOC Report
NVIDIAWebHelper.exe